diff --git a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/sample_input_report/xccdf-results-openscap-ComplianceAsCode-ubuntu1804.xml b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/sample_input_report/xccdf-results-openscap-ComplianceAsCode-ubuntu1804.xml
new file mode 100644
index 0000000000..ccb355f660
--- /dev/null
+++ b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/sample_input_report/xccdf-results-openscap-ComplianceAsCode-ubuntu1804.xml
@@ -0,0 +1,64639 @@
+
+
+ draft
+ Guide to the Secure Configuration of Ubuntu 18.04
+ This guide presents a catalog of security-relevant
+configuration settings for Ubuntu 18.04. It is a rendering of
+content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
+in order to support security automation. The SCAP content is
+is available in the scap-security-guide package which is developed at
+
+ https://www.open-scap.org/security-policies/scap-security-guide.
+
+Providing system administrators with such guidance informs them how to securely
+configure systems under their control in a variety of network roles. Policy
+makers and baseline creators can use this catalog of settings, with its
+associated references to higher-level security control catalogs, in order to
+assist them in security baseline creation. This guide is a catalog, not a
+checklist, and satisfaction of every item is not likely to be possible or
+sensible in many operational scenarios. However, the XCCDF format enables
+granular selection and adjustment of settings, and their association with OVAL
+and OCIL content provides an automated checking capability. Transformations of
+this document, and its associated automated checking content, are capable of
+providing baselines that meet a diverse set of policy objectives. Some example
+XCCDF Profiles, which are selections of items that form checklists and
+can be used as baselines, are available with this guide. They can be
+processed, in an automated fashion, with tools that support the Security
+Content Automation Protocol (SCAP). The DISA STIG, which provides required
+settings for US Department of Defense systems, is one example of a baseline
+created from this guidance.
+
+ Do not attempt to implement any of the settings in
+this guide without first testing them in a non-operational environment. The
+creators of this guidance assume no responsibility whatsoever for its use by
+other parties, and makes no guarantees, expressed or implied, about its
+quality, reliability, or any other characteristic.
+
+ The SCAP Security Guide Project
+
+ https://www.open-scap.org/security-policies/scap-security-guide
+
+ Red Hat and Red Hat Enterprise Linux are either registered
+trademarks or trademarks of Red Hat, Inc. in the United States and other
+countries. All other names are registered trademarks or trademarks of their
+respective companies.
+
+ 0.1.66
+
+ SCAP Security Guide Project
+ SCAP Security Guide Project
+ Frank J Cameron (CAM1244) <cameron@ctc.com>
+ 0x66656c6978 <0x66656c6978@users.noreply.github.com>
+ Håvard F. Aasen <havard.f.aasen@pfft.no>
+ Jack Adolph <jack.adolph@gmail.com>
+ Edgar Aguilar <edgar.aguilar@oracle.com>
+ Gabe Alford <redhatrises@gmail.com>
+ Firas AlShafei <firas.alshafei@us.abb.com>
+ Rodrigo Alvares <ralvares@redhat.com>
+ Christopher Anderson <cba@fedoraproject.org>
+ angystardust <angystardust@users.noreply.github.com>
+ anivan-suse <anastasija.ivanovic@suse.com>
+ anixon-rh <55244503+anixon-rh@users.noreply.github.com>
+ Ikko Ashimine <eltociear@gmail.com>
+ Chuck Atkins <chuck.atkins@kitware.com>
+ Bharath B <bhb@redhat.com>
+ Ryan Ballanger <root@rballang-admin-2.fastenal.com>
+ Alex Baranowski <alex@euro-linux.com>
+ Eduardo Barretto <eduardo.barretto@canonical.com>
+ Molly Jo Bault <Molly.Jo.Bault@ballardtech.com>
+ Andrew Becker <A-Beck@users.noreply.github.com>
+ Gabriel Becker <ggasparb@redhat.com>
+ Alexander Bergmann <abergmann@suse.com>
+ Dale Bewley <dale@bewley.net>
+ Jose Luis BG <bgjoseluis@gmail.com>
+ binyanling <binyanling@uniontech.com>
+ Joseph Bisch <joseph.bisch@gmail.com>
+ Jeff Blank <blank@eclipse.ncsc.mil>
+ Olivier Bonhomme <ptitoliv@ptitoliv.net>
+ Lance Bragstad <lbragstad@gmail.com>
+ Ted Brunell <tbrunell@redhat.com>
+ Marcus Burghardt <maburgha@redhat.com>
+ Matthew Burket <mburket@redhat.com>
+ Blake Burkhart <blake.burkhart@us.af.mil>
+ Patrick Callahan <pmc@patrickcallahan.com>
+ George Campbell <gcampbell@palantir.com>
+ Nick Carboni <ncarboni@redhat.com>
+ Carlos <64919342+carlosmmatos@users.noreply.github.com>
+ James Cassell <james.cassell@ll.mit.edu>
+ Frank Caviggia <fcaviggia@users.noreply.github.com>
+ Eric Christensen <echriste@redhat.com>
+ Dan Clark <danclark@redhat.com>
+ Jayson Cofell <1051437+70k10@users.noreply.github.com>
+ Caleb Cooper <coopercd@ornl.gov>
+ Richard Maciel Costa <richard.maciel.costa@canonical.com>
+ Xavier Coulon <xavier.coulon@suse.com>
+ Deric Crago <deric.crago@gmail.com>
+ crleekwc <crleekwc@gmail.com>
+ cyarbrough76 <42849651+cyarbrough76@users.noreply.github.com>
+ Maura Dailey <maura@eclipse.ncsc.mil>
+ Klaas Demter <demter@atix.de>
+ denknorr <dennis.knorr@suse.com>
+ dhanushkar-wso2 <dhanushkar@wso2.com>
+ Andrew DiPrinzio <andrew.diprinzio@jhuapl.edu>
+ dom <dominique.blaze@devinci.fr>
+ Jean-Baptiste Donnette <jean-baptiste.donnette@epita.fr>
+ Marco De Donno <mdedonno1337@gmail.com>
+ dperrone <dperrone@redhat.com>
+ drax <applezip@gmail.com>
+ Sebastian Dunne <sdunne@redhat.com>
+ François Duthilleul <francoisduthilleul@gmail.com>
+ Greg Elin <gregelin@gitmachines.com>
+ eradot4027 <jrtonmac@gmail.com>
+ Alexis Facques <alexis.facques@mythalesgroup.io>
+ Leah Fisher <lfisher047@gmail.com>
+ Yavor Georgiev <strandjata@gmail.com>
+ Alijohn Ghassemlouei <alijohn@secureagc.com>
+ Swarup Ghosh <swghosh@redhat.com>
+ ghylock <ghylock@gmail.com>
+ Andrew Gilmore <agilmore2@gmail.com>
+ Joshua Glemza <jglemza@nasa.gov>
+ Nick Gompper <forestgomp@yahoo.com>
+ David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>
+ Loren Gordon <lorengordon@users.noreply.github.com>
+ Patrik Greco <sikevux@sikevux.se>
+ Steve Grubb <sgrubb@redhat.com>
+ guangyee <gyee@suse.com>
+ Christian Hagenest <christian.hagenest@suse.com>
+ Marek Haicman <mhaicman@redhat.com>
+ Vern Hart <vern.hart@canonical.com>
+ Alex Haydock <alex@alexhaydock.co.uk>
+ Rebekah Hayes <rhayes@corp.rivierautilities.com>
+ Trey Henefield <thenefield@gmail.com>
+ Henning Henkel <henning.henkel@helvetia.ch>
+ hex2a <hex2a@users.noreply.github.com>
+ John Hooks <jhooks@starscream.pa.jhbcomputers.com>
+ Jakub Hrozek <jhrozek@redhat.com>
+ De Huo <De.Huo@windriver.com>
+ Robin Price II <robin@redhat.com>
+ Yasir Imam <yimam@redhat.com>
+ Jiri Jaburek <jjaburek@redhat.com>
+ Keith Jackson <keithkjackson@gmail.com>
+ Marc Jadoul <mgjadoul@laptomatic.auth-o-matic.corp>
+ Jeremiah Jahn <jeremiah@goodinassociates.com>
+ Jakub Jelen <jjelen@redhat.com>
+ Jessicahfy <Jessicahfy@users.noreply.github.com>
+ Stephan Joerrens <Stephan.Joerrens@fiduciagad.de>
+ Hunter Jones <hjones2199@gmail.com>
+ Jono <jono@ubuntu-18.localdomain>
+ justchris1 <justchris1@justchris1.email>
+ Kai Kang <kai.kang@windriver.com>
+ Charles Kernstock <charles.kernstock@ultra-ats.com>
+ Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
+ Sherine Khoury <skhoury@redhat.com>
+ Nathan Kinder <nkinder@redhat.com>
+ Lee Kinser <lee.kinser@gmail.com>
+ Evgeny Kolesnikov <ekolesni@redhat.com>
+ Peter 'Pessoft' Kolínek <github@pessoft.com>
+ Luke Kordell <luke.t.kordell@lmco.com>
+ Malte Kraus <malte.kraus@suse.com>
+ Seth Kress <seth.kress@dsainc.com>
+ Felix Krohn <felix.krohn@helvetia.ch>
+ kspargur <kspargur@kspargur.csb>
+ Amit Kumar <amitkuma@redhat.com>
+ Fen Labalme <fen@civicactions.com>
+ Ade Lee <alee@redhat.com>
+ Christopher Lee <Crleekwc@gmail.com>
+ Ian Lee <lee1001@llnl.gov>
+ Jarrett Lee <jarrettl@umd.edu>
+ Joseph Lenox <joseph.lenox@collins.com>
+ Jan Lieskovsky <jlieskov@redhat.com>
+ Markus Linnala <Markus.Linnala@knowit.fi>
+ Flos Lonicerae <lonicerae@gmail.com>
+ Simon Lukasik <slukasik@redhat.com>
+ Milan Lysonek <mlysonek@redhat.com>
+ Fredrik Lysén <fredrik@pipemore.se>
+ Caitlin Macleod <caitelatte@gmail.com>
+ Nick Maludy <nmaludy@gmail.com>
+ Lokesh Mandvekar <lsm5@fedoraproject.org>
+ Matus Marhefka <mmarhefk@redhat.com>
+ Jamie Lorwey Martin <jlmartin@redhat.com>
+ Carlos Matos <cmatos@redhat.com>
+ Robert McAllister <rmcallis@redhat.com>
+ Karen McCarron <kmccarro@redhat.com>
+ Michael McConachie <michael@redhat.com>
+ Marcus Meissner <meissner@suse.de>
+ Khary Mendez <kmendez@redhat.com>
+ Rodney Mercer <rmercer@harris.com>
+ Matt Micene <nzwulfin@gmail.com>
+ Brian Millett <bmillett@gmail.com>
+ Takuya Mishina <tmishina@jp.ibm.com>
+ Mixer9 <35545791+Mixer9@users.noreply.github.com>
+ mmosel <mmosel@kde.example.com>
+ Zbynek Moravec <zmoravec@redhat.com>
+ Kazuo Moriwaka <moriwaka@users.noreply.github.com>
+ Michael Moseley <michael@eclipse.ncsc.mil>
+ Renaud Métrich <rmetrich@redhat.com>
+ Joe Nall <joe@nall.com>
+ Neiloy <neiloy@redhat.com>
+ Axel Nennker <axel@nennker.de>
+ Michele Newman <mnewman@redhat.com>
+ Sean O'Keeffe <seanokeeffe797@gmail.com>
+ Jiri Odehnal <jodehnal@redhat.com>
+ Ilya Okomin <ilya.okomin@oracle.com>
+ Kaustubh Padegaonkar <theTuxRacer@gmail.com>
+ Michael Palmiotto <mpalmiotto@tresys.com>
+ Eryx Paredes <eryxp@lyft.com>
+ Max R.D. Parmer <maxp@trystero.is>
+ Arnaud Patard <apatard@hupstream.com>
+ Jan Pazdziora <jpazdziora@redhat.com>
+ pcactr <paul.c.arnold4.ctr@mail.mil>
+ Kenneth Peeples <kennethwpeeples@gmail.com>
+ Nathan Peters <Nathaniel.Peters@ca.com>
+ Frank Lin PIAT <fpiat@klabs.be>
+ Stefan Pietsch <mail.ipv4v6+gh@gmail.com>
+ piggyvenus <piggyvenus@gmail.com>
+ Vojtech Polasek <vpolasek@redhat.com>
+ Orion Poplawski <orion@nwra.com>
+ Nick Poyant <npoyant@redhat.com>
+ Martin Preisler <mpreisle@redhat.com>
+ Wesley Ceraso Prudencio <wcerasop@redhat.com>
+ Raphael Sanchez Prudencio <rsprudencio@redhat.com>
+ T.O. Radzy Radzykewycz <radzy@windriver.com>
+ Kenyon Ralph <kenyon@kenyonralph.com>
+ Mike Ralph <mralph@redhat.com>
+ Federico Ramirez <federico.r.ramirez@oracle.com>
+ rchikov <rumen.chikov@suse.com>
+ Rick Renshaw <Richard_Renshaw@xtoenergy.com>
+ Chris Reynolds <c.reynolds82@gmail.com>
+ rhayes <rhayes@rivierautilities.com>
+ Pat Riehecky <riehecky@fnal.gov>
+ rlucente-se-jboss <rlucente@redhat.com>
+ Juan Antonio Osorio Robles <juan.osoriorobles@eu.equinix.com>
+ Matt Rogers <mrogers@redhat.com>
+ Jesse Roland <jesse.roland@onyxpoint.com>
+ Joshua Roys <roysjosh@gmail.com>
+ rrenshaw <bofh69@yahoo.com>
+ Chris Ruffalo <chris.ruffalo@gmail.com>
+ rumch-se <77793453+rumch-se@users.noreply.github.com>
+ Ray Shaw (Cont ARL/CISD) rvshaw <rvshaw@esme.arl.army.mil>
+ Earl Sampson <ESampson@suse.com>
+ sampsone <esampson@suse.com>
+ Willy Santos <wsantos@redhat.com>
+ Nagarjuna Sarvepalli <snagarju@redhat.com>
+ Anderson Sasaki <33833274+ansasaki@users.noreply.github.com>
+ Gautam Satish <gautams@hpe.com>
+ Watson Sato <wsato@redhat.com>
+ Satoru SATOH <satoru.satoh@gmail.com>
+ Alexander Scheel <alexander.m.scheel@gmail.com>
+ Bryan Schneiders <pschneiders@trisept.com>
+ shaneboulden <shane.boulden@gmail.com>
+ Vincent Shen <wenshen@redhat.com>
+ Dhriti Shikhar <dhriti.shikhar.rokz@gmail.com>
+ Spencer Shimko <sshimko@tresys.com>
+ Mark Shoger <mshoger@redhat.com>
+ THOBY Simon <Simon.THOBY@viveris.fr>
+ Thomas Sjögren <konstruktoid@users.noreply.github.com>
+ Jindrich Skacel <102800748+jskacel@users.noreply.github.com>
+ Francisco Slavin <fslavin@tresys.com>
+ Dave Smith <dsmith@eclipse.ncsc.mil>
+ David Smith <dsmith@fornax.eclipse.ncsc.mil>
+ Kevin Spargur <kspargur@redhat.com>
+ Kenneth Stailey <kstailey.lists@gmail.com>
+ Leland Steinke <leland.j.steinke.ctr@mail.mil>
+ Justin Stephenson <jstephen@redhat.com>
+ Brian Stinson <brian@bstinson.com>
+ Jake Stookey <jakestookey@gmail.com>
+ Jonathan Sturges <jsturges@redhat.com>
+ teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com>
+ Ian Tewksbury <itewk@redhat.com>
+ Philippe Thierry <phil@reseau-libre.net>
+ Simon THOBY <git@nightmared.fr>
+ Derek Thurston <thegrit@gmail.com>
+ tianzhenjia <jiatianzhen@cmss.chinamobile.com>
+ Greg Tinsley <gtinsley@redhat.com>
+ Paul Tittle <ptittle@cmf.nrl.navy.mil>
+ tom <tom@localhost.localdomain>
+ tomas.hudik <tomas.hudik@embedit.cz>
+ Jeb Trayer <jeb.d.trayer@uscg.mil>
+ TrilokGeer <tgeer@redhat.com>
+ Viktors Trubovics <viktors.trubovics@suse.com>
+ Nico Truzzolino <nico.truzzolino@gmx.de>
+ Brian Turek <brian.turek@gmail.com>
+ Matěj Týč <matyc@redhat.com>
+ VadimDor <29509093+VadimDor@users.noreply.github.com>
+ Trevor Vaughan <tvaughan@onyxpoint.com>
+ vtrubovics <82443408+vtrubovics@users.noreply.github.com>
+ Samuel Warren <swarren@redhat.com>
+ wcushen <54533890+wcushen@users.noreply.github.com>
+ Shawn Wells <shawn@shawndwells.io>
+ Daniel E. White <linuxdan@users.noreply.github.com>
+ Bernhard M. Wiedemann <bwiedemann@suse.de>
+ Roy Williams <roywilli@roywilli.redhat.com>
+ Willumpie <willumpie@xs4all.nl>
+ Rob Wilmoth <rwilmoth@redhat.com>
+ win97pro <win97pro@protonmail.com>
+ Lucas Yamanishi <lucas.yamanishi@onyxpoint.com>
+ Xirui Yang <xirui.yang@oracle.com>
+ yarunachalam <yarunachalam@suse.com>
+ Guang Yee <guang.yee@suse.com>
+ Achilleas John Yfantis <ayfantis@redhat.com>
+ YiLin.Li <YiLin.Li@linux.alibaba.com>
+ YuQing <yyq0391@163.com>
+ Kevin Zimmerman <kevin.zimmerman@kitware.com>
+ Luigi Mario Zuccarelli <luzuccar@redhat.com>
+ Jan Černý <jcerny@redhat.com>
+ Michal Šrubař <msrubar@redhat.com>
+ https://github.com/ComplianceAsCode/content/releases/latest
+
+
+
+ Profile for ANSSI DAT-NT28 Average (Intermediate) Level
+ This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Profile for ANSSI DAT-NT28 High (Enforced) Level
+ This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Profile for ANSSI DAT-NT28 Minimal Level
+ This profile contains items to be applied systematically.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Profile for ANSSI DAT-NT28 Restrictive Level
+ This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CIS Ubuntu 18.04 LTS Benchmark
+ This baseline aligns to the Center for Internet Security
+Ubuntu 18.04 LTS Benchmark, v1.0.0, released
+08-13-2018.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Standard System Security Profile for Ubuntu 18.04
+ This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ System Settings
+ Contains rules that check correct system settings.
+
+ Installing and Maintaining Software
+ The following sections contain information on
+security-relevant choices during the initial operating system
+installation process and the setup of software
+updates.
+
+ Prefer to use a 64-bit Operating System when supported
+ Prefer installation of 64-bit operating systems when the CPU supports it.
+ There is no remediation besides installing a 64-bit operating system.
+ BP28(R10)
+ Use of a 64-bit operating system offers a few advantages, like a larger address space range for
+Address Space Layout Randomization (ASLR) and systematic presence of No eXecute and Execute Disable (NX/XD) protection bits.
+
+
+
+
+
+
+
+
+ System and Software Integrity
+ System and software integrity can be gained by installing antivirus, increasing
+system encryption strength with FIPS, verifying installed software, enabling SELinux,
+installing an Intrusion Prevention System, etc. However, installing or enabling integrity
+checking tools cannot prevent intrusions, but they can detect that an intrusion
+may have occurred. Requirements for integrity checking may be highly dependent on
+the environment in which the system will be used. Snapshot-based approaches such
+as AIDE may induce considerable overhead in the presence of frequent software updates.
+
+ Software Integrity Checking
+ Both the AIDE (Advanced Intrusion Detection Environment)
+software and the RPM package management system provide
+mechanisms for verifying the integrity of installed software.
+AIDE uses snapshots of file metadata (such as hashes) and compares these
+to current system files in order to detect changes.
+
+The RPM package management system can conduct integrity
+checks by comparing information in its metadata database with
+files installed on the system.
+
+ Integrity Scan Notification Email Address
+ Specify the email address for designated personnel if baseline
+configurations are changed in an unauthorized manner.
+ root@localhost
+
+
+ Verify Integrity with RPM
+ The RPM package management system includes the ability
+to verify the integrity of installed packages by comparing the
+installed files with information about the files taken from the
+package metadata stored in the RPM database. Although an attacker
+could corrupt the RPM database (analogous to attacking the AIDE
+database as described above), this check can still reveal
+modification of important files. To list which files on the system differ from what is expected by the RPM database:
+$ rpm -qVa
+See the man page for rpm to see a complete explanation of each column.
+
+
+ Verify Integrity with AIDE
+ AIDE conducts integrity checks by comparing information about
+files with previously-gathered information. Ideally, the AIDE database is
+created immediately after initial system configuration, and then again after any
+software update. AIDE is highly configurable, with further configuration
+information located in /usr/share/doc/aide-VERSION.
+
+
+
+
+ Federal Information Processing Standard (FIPS)
+ The Federal Information Processing Standard (FIPS) is a computer security standard which
+is developed by the U.S. Government and industry working groups to validate the quality
+of cryptographic modules. The FIPS standard provides four security levels to ensure
+adequate coverage of different industries, implementation of cryptographic modules, and
+organizational sizes and requirements.
+
+FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
+utilize authentication that meets industry and government requirements. For government systems, this allows
+Security Levels 1, 2, 3, or 4 for use on Ubuntu 18.04.
+
+See http://csrc.nist.gov/publications/PubsFIPS.html for more information.
+
+
+
+ System Cryptographic Policies
+ Linux has the capability to centrally configure cryptographic polices. The command
+update-crypto-policies is used to set the policy applicable for the various
+cryptographic back-ends, such as SSL/TLS libraries. The configured cryptographic
+policies will be the default policy used by these backends unless the application
+user configures them otherwise. When the system has been configured to use the
+centralized cryptographic policies, the administrator is assured that any application
+that utilizes the supported backends will follow a policy that adheres to the
+configured profile.
+
+Currently the supported backends are:
+GnuTLS libraryOpenSSL libraryNSS libraryOpenJDKLibkrb5BINDOpenSSH
+Applications and languages which rely on any of these backends will follow the
+system policies as well. Examples are apache httpd, nginx, php, and others.
+
+ SSH client RekeyLimit - size
+ Specify the size component of the rekey limit. This limit signifies amount
+of data. After this amount of data is transferred through the connection,
+the session key is renegotiated. The number is followed by K, M or G for
+kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
+configured according to elapsed time.
+ 512M
+ 512M
+ 1G
+
+
+ SSH client RekeyLimit - time
+ Specify the time component of the rekey limit. The session key is
+renegotiated after the defined amount of time passes. The number is followed
+by units such as H or M for hours or minutes. Note that the RekeyLimit can
+be also configured according to amount of transfered data.
+ 1h
+ 1h
+
+
+ The system-provided crypto policies
+ Specify the crypto policy for the system.
+ DEFAULT
+ DEFAULT
+ DEFAULT:NO-SHA1
+ FIPS
+ FIPS:OSPP
+ LEGACY
+ FUTURE
+ NEXT
+
+
+ Harden SSH client Crypto Policy
+ Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client.
+To override the system wide crypto policy for Openssh client, place a file in the /etc/ssh/ssh_config.d/ so that it is loaded before the 05-redhat.conf. In this case it is file named 02-ospp.conf containing parameters which need to be changed with respect to the crypto policy.
+This rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy.
+During the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.
+ CIP-003-8 R4.2
+ CIP-007-3 R5.1
+ CIP-007-3 R7.1
+ AC-17(a)
+ AC-17(2)
+ CM-6(a)
+ MA-4(6)
+ SC-13
+ FCS_SSHC_EXT.1
+ SRG-OS-000033-GPOS-00014
+ SRG-OS-000250-GPOS-00093
+ SRG-OS-000393-GPOS-00173
+ SRG-OS-000394-GPOS-00174
+ The Common Criteria requirements specify how certain parameters for OpenSSH Client are configured. Particular parameters are RekeyLimit, GSSAPIAuthentication, Ciphers, PubkeyAcceptedKeyTypes, MACs and KexAlgorithms. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
+
+#the file starts with 02 so that it is loaded before the 05-redhat.conf which activates configuration provided by system vide crypto policy
+file="/etc/ssh/ssh_config.d/02-ospp.conf"
+echo -e "Match final all\n\
+RekeyLimit 512M 1h\n\
+GSSAPIAuthentication no\n\
+Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc\n\
+PubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256\n\
+MACs hmac-sha2-512,hmac-sha2-256\n\
+KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1\n" > "$file"
+
+
+
+
+
+
+
+
+
+
+ Operating System Vendor Support and Certification
+ The assurance of a vendor to provide operating system support and maintenance
+for their product is an important criterion to ensure product stability and
+security over the life of the product. A certified product that follows the
+necessary standards and government certification requirements guarantees that
+known software vulnerabilities will be remediated, and proper guidance for
+protecting and securing the operating system will be given.
+
+ The Installed Operating System Is FIPS 140-2 Certified
+ To enable processing of sensitive information the operating system must
+provide certified cryptographic modules compliant with FIPS 140-2
+standard.
+
+Ubuntu Linux is supported by Canonical Ltd. As the Ubuntu Linux Vendor, Canonical Ltd. is
+responsible for government certifications and standards.
+
+Users of Ubuntu Linux either need an Ubuntu Advantage subscription or need
+to be using Ubuntu Pro from a sponsored vendor in order to have access to
+FIPS content supported by Canonical.
+ There is no remediation besides switching to a different operating system.
+ System Crypto Modules must be provided by a vendor that undergoes
+FIPS-140 certifications.
+FIPS-140 is applicable to all Federal agencies that use
+cryptographic-based security systems to protect sensitive information
+in computer and telecommunication systems (including voice systems) as
+defined in Section 5131 of the Information Technology Management Reform
+Act of 1996, Public Law 104-106. This standard shall be used in
+designing and implementing cryptographic modules that Federal
+departments and agencies operate or are operated for them under
+contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
+To meet this, the system has to have cryptographic software provided by
+a vendor that has undergone this certification. This means providing
+documentation, test results, design information, and independent third
+party review by an accredited lab. While open source software is
+capable of meeting this, it does not meet FIPS-140 unless the vendor
+submits to this process.
+ CCI-000803
+ CCI-002450
+ CIP-003-8 R4.2
+ CIP-007-3 R5.1
+ SC-12(2)
+ SC-12(3)
+ IA-7
+ SC-13
+ CM-6(a)
+ SC-12
+ SRG-OS-000120-VMM-000600
+ SRG-OS-000478-VMM-001980
+ SRG-OS-000396-VMM-001590
+ The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS
+PUB 140-2) is a computer security standard. The standard specifies security
+requirements for cryptographic modules used to protect sensitive
+unclassified information. Refer to the full FIPS 140-2 standard at
+
+ http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
+for further details on the requirements.
+FIPS 140-2 validation is required by U.S. law when information systems use
+cryptography to protect sensitive government information. In order to
+achieve FIPS 140-2 certification, cryptographic modules are subject to
+extensive testing by independent laboratories, accredited by National
+Institute of Standards and Technology (NIST).
+
+
+
+
+
+
+
+
+
+ Endpoint Protection Software
+ Endpoint protection security software that is not provided or supported
+
+by Red Hat can be installed to provide complementary or duplicative
+
+security capabilities to those provided by the base platform. Add-on
+software may not be appropriate for some specialized systems.
+
+ Configure Backups of User Data
+ The operating system must conduct backups of user data contained
+in the operating system. The operating system provides utilities for
+automating backups of user data. Commercial and open-source products
+are also available.
+ Operating system backup is a critical step in maintaining data assurance and
+availability. User-level information is data generated by information system
+and/or application users. Backups shall be consistent with organizational
+recovery time and recovery point objectives.
+
+
+
+
+
+ McAfee Endpoint Security Software
+ In DoD environments, McAfee Host-based Security System (HBSS) and
+VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems.
+
+ The age of McAfee defintion file before requiring updating
+ Specify the amount of time (in seconds) before McAfee definition files need to be
+updated.
+ 2592000
+ 86400
+ 604800
+ 2592000
+
+
+ McAfee Endpoint Security for Linux (ENSL)
+ McAfee Endpoint Security for Linux (ENSL) is a suite of software applications
+used to monitor, detect, and defend computer networks and systems.
+
+
+
+ McAfee Host-Based Intrusion Detection Software (HBSS)
+ McAfee Host-based Security System (HBSS) is a suite of software applications
+used to monitor, detect, and defend computer networks and systems.
+
+ Install the Host Intrusion Prevention System (HIPS) Module
+ Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely
+necessary. If SELinux is enabled, do not install or enable this module.
+ Installing and enabling this module conflicts with SELinux.
+Per DoD/DISA guidance, SELinux takes precedence over this module.
+ Due to McAfee HIPS being 3rd party software, automated
+remediation is not available for this configuration check.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ APO01.06
+ APO07.06
+ APO08.04
+ APO10.05
+ APO11.06
+ APO12.01
+ APO12.02
+ APO12.03
+ APO12.04
+ APO12.06
+ APO13.01
+ APO13.02
+ BAI08.02
+ BAI08.04
+ DSS01.03
+ DSS01.05
+ DSS02.04
+ DSS02.05
+ DSS02.07
+ DSS03.01
+ DSS03.04
+ DSS03.05
+ DSS04.05
+ DSS05.01
+ DSS05.02
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS06.01
+ DSS06.02
+ MEA03.03
+ MEA03.04
+ CCI-000366
+ CCI-001233
+ CCI-001263
+ 4.2.3
+ 4.2.3.12
+ 4.2.3.7
+ 4.2.3.9
+ 4.3.3.4
+ 4.3.4.5.2
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.3.4.5.9
+ 4.4.3.2
+ 4.4.3.3
+ 4.4.3.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.4
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.3
+ SR 3.5
+ SR 3.8
+ SR 3.9
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.12.1.1
+ A.12.1.2
+ A.12.4.1
+ A.12.4.3
+ A.12.5.1
+ A.12.6.1
+ A.12.6.2
+ A.13.1.1
+ A.13.1.2
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.14.2.7
+ A.14.2.8
+ A.15.2.1
+ A.16.1.1
+ A.16.1.2
+ A.16.1.3
+ A.16.1.4
+ A.16.1.5
+ A.16.1.6
+ A.16.1.7
+ A.18.1.4
+ A.18.2.2
+ A.18.2.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ Clause 16.1.2
+ Clause 7.4
+ CM-6(a)
+ DE.AE-1
+ DE.AE-2
+ DE.AE-3
+ DE.AE-4
+ DE.CM-1
+ DE.CM-5
+ DE.CM-6
+ DE.CM-7
+ DE.DP-2
+ DE.DP-3
+ DE.DP-4
+ DE.DP-5
+ ID.RA-1
+ PR.AC-5
+ PR.DS-5
+ PR.IP-8
+ PR.PT-4
+ RS.AN-1
+ RS.CO-3
+ Req-11.4
+ SRG-OS-000191-GPOS-00080
+ SRG-OS-000196
+ SRG-OS-000480-GPOS-00227
+ Without a host-based intrusion detection tool, there is no system-level defense
+when an intruder gains access to a system or network. Additionally, a host-based
+intrusion prevention tool can provide methods to immediately lock out detected
+intrusion attempts.
+
+
+[[packages]]
+name = "MFEhiplsm"
+version = "*"
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Disk Partitioning
+ To ensure separation and protection of data, there
+are top-level system directories which should be placed on their
+own physical partition or logical volume. The installer's default
+partitioning scheme creates separate logical volumes for
+/, /boot, and swap.
+If starting with any of the default layouts, check the box to
+\"Review and modify partitioning.\" This allows for the easy creation
+of additional logical volumes inside the volume group already
+created, though it may require making /'s logical volume smaller to
+create space. In general, using logical volumes is preferable to
+using partitions because they can be more easily adjusted
+later.If creating a custom layout, create the partitions mentioned in
+the previous paragraph (which the installer will require anyway),
+as well as separate ones described in the following sections.
+If a system has already been installed, and the default
+partitioning
+scheme was used, it is possible but nontrivial to
+modify it to create separate logical volumes for the directories
+listed above. The Logical Volume Manager (LVM) makes this possible.
+See the LVM HOWTO at
+ http://tldp.org/HOWTO/LVM-HOWTO/
+for more detailed information on LVM.
+
+ Ensure /home Located On Separate Partition
+ If user home directories will be stored locally, create a separate partition
+for /home at installation time (or migrate it later using LVM). If
+/home will be mounted from another system such as an NFS server, then
+creating a separate partition is not necessary at installation time, and the
+mountpoint can instead be configured later.
+ BP28(R12)
+ 12
+ 15
+ 8
+ APO13.01
+ DSS05.02
+ CCI-000366
+ CCI-001208
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 7.1
+ SR 7.6
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ CM-6(a)
+ SC-5(2)
+ PR.PT-4
+ SRG-OS-000480-GPOS-00227
+ 1.1.12
+ Ensuring that /home is mounted on its own partition enables the
+setting of more restrictive mount options, and also helps ensure that
+users cannot trivially fill partitions used for log or audit data storage.
+
+
+
+
+
+
+
+
+
+ Ensure /srv Located On Separate Partition
+ If a file server (FTP, TFTP...) is hosted locally, create a separate partition
+for /srv at installation time (or migrate it later using LVM). If
+/srv will be mounted from another system such as an NFS server, then
+creating a separate partition is not necessary at installation time, and the
+mountpoint can instead be configured later.
+ BP28(R12)
+ Srv deserves files for local network file server such as FTP. Ensuring
+that /srv is mounted on its own partition enables the setting of
+more restrictive mount options, and also helps ensure that
+users cannot trivially fill partitions used for log or audit data storage.
+
+
+
+
+
+
+
+
+
+ Ensure /tmp Located On Separate Partition
+ The /tmp directory is a world-writable directory used
+for temporary file storage. Ensure it has its own partition or
+logical volume at installation time, or migrate it using LVM.
+ BP28(R12)
+ 12
+ 15
+ 8
+ APO13.01
+ DSS05.02
+ CCI-000366
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 7.1
+ SR 7.6
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ CM-6(a)
+ SC-5(2)
+ PR.PT-4
+ SRG-OS-000480-GPOS-00227
+ 1.1.2
+ The /tmp partition is used as temporary storage by many programs.
+Placing /tmp in its own partition enables the setting of more
+restrictive mount options, which can help protect programs which use it.
+
+
+
+
+
+
+
+
+
+ Ensure /var Located On Separate Partition
+ The /var directory is used by daemons and other system
+services to store frequently-changing data. Ensure that /var has its own partition
+or logical volume at installation time, or migrate it using LVM.
+ BP28(R12)
+ 12
+ 15
+ 8
+ APO13.01
+ DSS05.02
+ CCI-000366
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 7.1
+ SR 7.6
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ CM-6(a)
+ SC-5(2)
+ PR.PT-4
+ SRG-OS-000480-GPOS-00227
+ SRG-OS-000341-VMM-001220
+ 1.1.5
+ Ensuring that /var is mounted on its own partition enables the
+setting of more restrictive mount options. This helps protect
+system services such as daemons or other programs which use it.
+It is not uncommon for the /var directory to contain
+world-writable directories installed by other software packages.
+
+
+
+
+
+
+
+
+
+ Ensure /var/log Located On Separate Partition
+ System logs are stored in the /var/log directory.
+
+Ensure that /var/log has its own partition or logical
+volume at installation time, or migrate it using LVM.
+ BP28(R12)
+ BP28(R47)
+ 1
+ 12
+ 14
+ 15
+ 16
+ 3
+ 5
+ 6
+ 8
+ APO11.04
+ APO13.01
+ BAI03.05
+ DSS05.02
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-000366
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 7.1
+ SR 7.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ CIP-007-3 R6.5
+ CM-6(a)
+ AU-4
+ SC-5(2)
+ PR.PT-1
+ PR.PT-4
+ SRG-OS-000480-GPOS-00227
+ 1.1.10
+ Placing /var/log in its own partition
+enables better separation between log files
+and other files in /var/.
+
+
+
+
+
+
+
+
+
+ Ensure /var/log/audit Located On Separate Partition
+ Audit logs are stored in the /var/log/audit directory.
+
+Ensure that /var/log/audit has its own partition or logical
+volume at installation time, or migrate it using LVM.
+Make absolutely certain that it is large enough to store all
+audit logs that will be created by the auditing daemon.
+ BP28(R43)
+ 1
+ 12
+ 13
+ 14
+ 15
+ 16
+ 2
+ 3
+ 5
+ 6
+ 8
+ APO11.04
+ APO13.01
+ BAI03.05
+ BAI04.04
+ DSS05.02
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-000366
+ CCI-001849
+ 164.312(a)(2)(ii)
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 7.1
+ SR 7.2
+ SR 7.6
+ A.12.1.3
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.17.2.1
+ CIP-007-3 R6.5
+ CM-6(a)
+ AU-4
+ SC-5(2)
+ PR.DS-4
+ PR.PT-1
+ PR.PT-4
+ FMT_SMF_EXT.1
+ SRG-OS-000341-GPOS-00132
+ SRG-OS-000480-GPOS-00227
+ SRG-OS-000341-VMM-001220
+ 1.1.11
+ Placing /var/log/audit in its own partition
+enables better separation between audit files
+and other files, and helps ensure that
+auditing cannot be halted due to the partition running out
+of space.
+
+
+
+
+
+
+
+
+
+ Ensure /var/tmp Located On Separate Partition
+ The /var/tmp directory is a world-writable directory used
+for temporary file storage. Ensure it has its own partition or
+logical volume at installation time, or migrate it using LVM.
+ BP28(R12)
+ SRG-OS-000480-GPOS-00227
+ 1.1.6
+ The /var/tmp partition is used as temporary storage by many programs.
+Placing /var/tmp in its own partition enables the setting of more
+restrictive mount options, which can help protect programs which use it.
+
+
+
+
+
+
+
+
+
+
+ GNOME Desktop Environment
+ GNOME is a graphical desktop environment bundled with many Linux distributions that
+allow users to easily interact with the operating system graphically rather than
+textually. The GNOME Graphical Display Manager (GDM) provides login, logout, and user
+switching contexts as well as display server management.
+
+GNOME is developed by the GNOME Project and is considered the default
+
+Red Hat Graphical environment.
+
+
+For more information on GNOME and the GNOME Project, see https://www.gnome.org.
+
+
+ Configure GNOME Login Screen
+ In the default GNOME desktop, the login is displayed after system boot
+and can display user accounts, allow users to reboot the system, and allow users to
+login automatically and/or with a guest account. The login screen should be configured
+to prevent such behavior.
+
+
+For more information about enforcing preferences in the GNOME3 environment using the DConf
+configuration system, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide/> and the man page dconf(1).
+
+ Disable XDMCP in GDM
+ XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g.
+XDMCP Gnome docs.
+
+To disable XDMCP support in Gnome, set Enable to false under the [xdmcp] configuration section in /etc/gdm/custom.conf. For example:
+
+[xdmcp]
+Enable=false
+
+ XDMCP provides unencrypted remote access through the Gnome Display Manager (GDM) which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session. If a privileged user were to login using XDMCP, the
+privileged user password could be compromised due to typed XEvents
+and keystrokes will traversing over the network in clear text.
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'gdm3' 2>/dev/null | grep -q installed; then
+
+# Try find '[xdmcp]' and 'Enable' in '/etc/gdm3/custom.conf', if it exists, set
+# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there
+if grep -qzosP '[[:space:]]*\[xdmcp]([^\n\[]*\n+)+?[[:space:]]*Enable' '/etc/gdm3/custom.conf'; then
+
+ sed -i "s/Enable[^(\n)]*/Enable=false/" '/etc/gdm3/custom.conf'
+elif grep -qs '[[:space:]]*\[xdmcp]' '/etc/gdm3/custom.conf'; then
+ sed -i "/[[:space:]]*\[xdmcp]/a Enable=false" '/etc/gdm3/custom.conf'
+else
+ if test -d "/etc/gdm3"; then
+ printf '%s\n' '[xdmcp]' "Enable=false" >> '/etc/gdm3/custom.conf'
+ else
+ echo "Config file directory '/etc/gdm3' doesnt exist, not remediating, assuming non-applicability." >&2
+ fi
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+ GNOME Media Settings
+ GNOME media settings that apply to the graphical interface.
+
+
+ GNOME Network Settings
+ GNOME network settings that apply to the graphical interface.
+
+
+ GNOME Remote Access Settings
+ GNOME remote access settings that apply to the graphical interface.
+
+
+ Configure GNOME Screen Locking
+ In the default GNOME3 desktop, the screen can be locked
+by selecting the user name in the far right corner of the main panel and
+selecting Lock.
+
+The following sections detail commands to enforce idle activation of the screensaver,
+screen locking, a blank-screen screensaver, and an idle activation time.
+
+Because users should be trained to lock the screen when they
+step away from the computer, the automatic locking feature is only
+meant as a backup.
+
+The root account can be screen-locked; however, the root account should
+never be used to log into an X Windows environment and should only
+be used to for direct login via console in emergency circumstances.
+
+For more information about enforcing preferences in the GNOME3 environment using the DConf
+configuration system, see http://wiki.gnome.org/dconf and
+the man page dconf(1).
+
+ Screensaver Inactivity timeout
+ Choose allowed duration (in seconds) of inactive graphical sessions
+ 600
+ 900
+ 1800
+ 300
+ 900
+
+
+ Screensaver Lock Delay
+ Choose allowed duration (in seconds) after a screensaver becomes active before displaying an authentication prompt
+ 10
+ 5
+ 0
+ 0
+
+
+
+ GNOME System Settings
+ GNOME provides configuration and functionality to a graphical desktop environment
+that changes grahical configurations or allow a user to perform
+actions that users normally would not be able to do in non-graphical mode such as
+remote access configuration, power policies, Geo-location, etc.
+Configuring such settings in GNOME will prevent accidential graphical configuration
+changes by users from taking place.
+
+
+
+ SAP Specific Requirement
+ SAP (Systems, Applications and Products in Data Processing) is enterprise
+software to manage business operations and customer relations. The
+following section contains SAP specific requirement that is not part
+of standard or common OS setting.
+
+
+ Sudo
+ Sudo, which stands for "su 'do'", provides the ability to delegate authority
+to certain users, groups of users, or system administrators. When configured for system
+users and/or groups, Sudo can allow a user or group to execute privileged commands
+that normally only root is allowed to execute.
+
+For more information on Sudo and addition Sudo configuration options, see
+https://www.sudo.ws.
+
+ Group name dedicated to the use of sudo
+ Specify the name of the group that should own /usr/bin/sudo.
+ root
+ sudogrp
+
+
+ Sudo - logfile value
+ Specify the sudo logfile to use. The default value used here matches the example
+location from CIS, which uses /var/log/sudo.log.
+ /var/log/sudo.log
+ /var/log/sudo.log
+
+
+ Sudo - passwd_timeout value
+ Defines the number of minutes before the sudo password prompt times out.
+Defining 0 means no timeout. The default timeout value is 5 minutes.
+ 5
+ 0
+ 1
+ 2
+ 3
+ 5
+
+
+ Sudo - timestamp_timeout value
+ Defines the number of minutes that can elapse before sudo will ask for a passwd again.
+If set to a value less than 0 the user's time stamp will never expire. Defining 0 means always prompt for a
+password. The default timeout value is 5 minutes.
+ 5
+ 0
+ 1
+ 2
+ 3
+ 5
+ 15
+
+
+ Sudo - umask value
+ Specify the sudo umask to use. The actual umask value that is used is the union
+of the user's umask and the sudo umask.
+The default sudo umask is 0022. This guarantess sudo never lowers the umask when
+running a command.
+ 0022
+ 0022
+ 0027
+
+
+ Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
+ The sudo NOEXEC tag, when specified, prevents user executed
+commands from executing other commands, like a shell for example.
+This should be enabled by making sure that the NOEXEC tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
+ BP28(R58)
+ Restricting the capability of sudo allowed commands to execute sub-commands
+prevents users from running programs with privileges they wouldn't have otherwise.
+
+if /usr/sbin/visudo -qcf /etc/sudoers; then
+ cp /etc/sudoers /etc/sudoers.bak
+ if ! grep -P '^[\s]*Defaults[\s]*\bnoexec\b.*$' /etc/sudoers; then
+ # sudoers file doesn't define Option noexec
+ echo "Defaults noexec" >> /etc/sudoers
+ fi
+
+ # Check validity of sudoers and cleanup bak
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
+ rm -f /etc/sudoers.bak
+ else
+ echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+ mv /etc/sudoers.bak /etc/sudoers
+ false
+ fi
+else
+ echo "Skipping remediation, /etc/sudoers failed to validate"
+ false
+fi
+
+ - name: Ensure noexec is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\bnoexec\b.*$
+ line: Defaults noexec
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_noexec
+
+
+
+
+
+
+
+
+
+ Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty
+ The sudo requiretty tag, when specified, will only execute sudo
+commands from users logged in to a real tty.
+This should be enabled by making sure that the requiretty tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
+ BP28(R58)
+ Restricting the use cases in which a user is allowed to execute sudo commands
+reduces the attack surface.
+
+if /usr/sbin/visudo -qcf /etc/sudoers; then
+ cp /etc/sudoers /etc/sudoers.bak
+ if ! grep -P '^[\s]*Defaults[\s]*\brequiretty\b.*$' /etc/sudoers; then
+ # sudoers file doesn't define Option requiretty
+ echo "Defaults requiretty" >> /etc/sudoers
+ fi
+
+ # Check validity of sudoers and cleanup bak
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
+ rm -f /etc/sudoers.bak
+ else
+ echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+ mv /etc/sudoers.bak /etc/sudoers
+ false
+ fi
+else
+ echo "Skipping remediation, /etc/sudoers failed to validate"
+ false
+fi
+
+ - name: Ensure requiretty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\brequiretty\b.*$
+ line: Defaults requiretty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_requiretty
+
+
+
+
+
+
+
+
+
+ Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
+ The sudo use_pty tag, when specified, will only execute sudo
+commands from users logged in to a real tty.
+This should be enabled by making sure that the use_pty tag exists in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
+ BP28(R58)
+ Req-10.2.1.5
+ Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining
+access to the user's terminal after the main program has finished executing.
+
+if /usr/sbin/visudo -qcf /etc/sudoers; then
+ cp /etc/sudoers /etc/sudoers.bak
+ if ! grep -P '^[\s]*Defaults[\s]*\buse_pty\b.*$' /etc/sudoers; then
+ # sudoers file doesn't define Option use_pty
+ echo "Defaults use_pty" >> /etc/sudoers
+ fi
+
+ # Check validity of sudoers and cleanup bak
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
+ rm -f /etc/sudoers.bak
+ else
+ echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+ mv /etc/sudoers.bak /etc/sudoers
+ false
+ fi
+else
+ echo "Skipping remediation, /etc/sudoers failed to validate"
+ false
+fi
+
+ - name: Ensure use_pty is enabled in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults.*\buse_pty\b.*$
+ line: Defaults use_pty
+ validate: /usr/sbin/visudo -cf %s
+ tags:
+ - PCI-DSS-Req-10.2.1.5
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_add_use_pty
+
+
+
+
+
+
+
+
+
+ Ensure Sudo Logfile Exists - sudo logfile
+ A custom log sudo file can be configured with the 'logfile' tag. This rule configures
+a sudo custom logfile at the default location suggested by CIS, which uses
+/var/log/sudo.log.
+ Req-10.2.1.5
+ A sudo log file simplifies auditing of sudo commands.
+
+
+var_sudo_logfile=''
+
+
+if /usr/sbin/visudo -qcf /etc/sudoers; then
+ cp /etc/sudoers /etc/sudoers.bak
+ if ! grep -P '^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b)\b.*$' /etc/sudoers; then
+ # sudoers file doesn't define Option logfile
+ echo "Defaults logfile=${var_sudo_logfile}" >> /etc/sudoers
+ else
+ # sudoers file defines Option logfile, remediate if appropriate value is not set
+ if ! grep -P "^[\s]*Defaults.*\blogfile=${var_sudo_logfile}\b.*$" /etc/sudoers; then
+
+ escaped_variable=${var_sudo_logfile//$'/'/$'\/'}
+ sed -Ei "s/(^[\s]*Defaults.*\blogfile=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
+ fi
+ fi
+
+ # Check validity of sudoers and cleanup bak
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
+ rm -f /etc/sudoers.bak
+ else
+ echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+ mv /etc/sudoers.bak /etc/sudoers
+ false
+ fi
+else
+ echo "Skipping remediation, /etc/sudoers failed to validate"
+ false
+fi
+
+ - name: XCCDF Value var_sudo_logfile # promote to variable
+ set_fact:
+ var_sudo_logfile: !!str
+ tags:
+ - always
+
+- name: Ensure logfile is enabled with the appropriate value in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults\s(.*)\blogfile=[-]?.+\b(.*)$
+ line: Defaults \1logfile={{ var_sudo_logfile }}\2
+ validate: /usr/sbin/visudo -cf %s
+ backrefs: true
+ register: edit_sudoers_logfile_option
+ tags:
+ - PCI-DSS-Req-10.2.1.5
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_custom_logfile
+
+- name: Enable logfile option with appropriate value in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ line: Defaults logfile={{ var_sudo_logfile }}
+ validate: /usr/sbin/visudo -cf %s
+ when: edit_sudoers_logfile_option is defined and not edit_sudoers_logfile_option.changed
+ tags:
+ - PCI-DSS-Req-10.2.1.5
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_custom_logfile
+
+
+
+
+
+
+
+
+
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
+ The sudo !authenticate option, when specified, allows a user to execute commands using
+sudo without having to authenticate. This should be disabled by making sure that the
+!authenticate option does not exist in /etc/sudoers configuration file or
+any sudo configuration snippets in /etc/sudoers.d/.
+ BP28(R5)
+ BP28(R59)
+ 1
+ 12
+ 15
+ 16
+ 5
+ DSS05.04
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ CCI-002038
+ 4.3.3.5.1
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ A.18.1.4
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ IA-11
+ CM-6(a)
+ PR.AC-1
+ PR.AC-7
+ SRG-OS-000373-GPOS-00156
+ SRG-OS-000373-GPOS-00157
+ SRG-OS-000373-GPOS-00158
+ SRG-OS-000373-VMM-001470
+ SRG-OS-000373-VMM-001480
+ SRG-OS-000373-VMM-001490
+ Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate.
+
+for f in /etc/sudoers /etc/sudoers.d/* ; do
+ if [ ! -e "$f" ] ; then
+ continue
+ fi
+ matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ # comment out "!authenticate" matches to preserve user data
+ sed -i "s/^${entry}$/# &/g" $f
+ done <<< "$matching_list"
+
+ /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+ fi
+done
+
+ - name: Find /etc/sudoers.d/ files
+ find:
+ paths:
+ - /etc/sudoers.d/
+ register: sudoers
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-11
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_remove_no_authenticate
+
+- name: Remove lines containing !authenticate from sudoers files
+ replace:
+ regexp: (^(?!#).*[\s]+\!authenticate.*$)
+ replace: '# \g<1>'
+ path: '{{ item.path }}'
+ validate: /usr/sbin/visudo -cf %s
+ with_items:
+ - path: /etc/sudoers
+ - '{{ sudoers.files }}'
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-11
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_remove_no_authenticate
+
+
+
+
+
+
+
+
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
+ The sudo NOPASSWD tag, when specified, allows a user to execute
+commands using sudo without having to authenticate. This should be disabled
+by making sure that the NOPASSWD tag does not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/.
+ BP28(R5)
+ BP28(R59)
+ 1
+ 12
+ 15
+ 16
+ 5
+ DSS05.04
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ CCI-002038
+ 4.3.3.5.1
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ A.18.1.4
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ IA-11
+ CM-6(a)
+ PR.AC-1
+ PR.AC-7
+ SRG-OS-000373-GPOS-00156
+ SRG-OS-000373-GPOS-00157
+ SRG-OS-000373-GPOS-00158
+ SRG-OS-000373-VMM-001470
+ SRG-OS-000373-VMM-001480
+ SRG-OS-000373-VMM-001490
+ Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate.
+
+for f in /etc/sudoers /etc/sudoers.d/* ; do
+ if [ ! -e "$f" ] ; then
+ continue
+ fi
+ matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ # comment out "NOPASSWD" matches to preserve user data
+ sed -i "s/^${entry}$/# &/g" $f
+ done <<< "$matching_list"
+
+ /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+ fi
+done
+
+ - name: Find /etc/sudoers.d/ files
+ find:
+ paths:
+ - /etc/sudoers.d/
+ register: sudoers
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-11
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_remove_nopasswd
+
+- name: Remove lines containing NOPASSWD from sudoers files
+ replace:
+ regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)
+ replace: '# \g<1>'
+ path: '{{ item.path }}'
+ validate: /usr/sbin/visudo -cf %s
+ with_items:
+ - path: /etc/sudoers
+ - '{{ sudoers.files }}'
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-11
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_remove_nopasswd
+
+
+
+
+
+
+
+
+
+ Ensure Users Re-Authenticate for Privilege Escalation - sudo
+ The sudo NOPASSWD and !authenticate option, when
+specified, allows a user to execute commands using sudo without having to
+authenticate. This should be disabled by making sure that
+NOPASSWD and/or !authenticate do not exist in
+/etc/sudoers configuration file or any sudo configuration snippets
+in /etc/sudoers.d/."
+ 1
+ 12
+ 15
+ 16
+ 5
+ DSS05.04
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ CCI-002038
+ 4.3.3.5.1
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ A.18.1.4
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ IA-11
+ CM-6(a)
+ PR.AC-1
+ PR.AC-7
+ SRG-OS-000373-GPOS-00156
+ Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate.
+
+for f in /etc/sudoers /etc/sudoers.d/* ; do
+ if [ ! -e "$f" ] ; then
+ continue
+ fi
+ matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ # comment out "NOPASSWD" matches to preserve user data
+ sed -i "s/^${entry}$/# &/g" $f
+ done <<< "$matching_list"
+
+ /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+ fi
+done
+
+for f in /etc/sudoers /etc/sudoers.d/* ; do
+ if [ ! -e "$f" ] ; then
+ continue
+ fi
+ matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ # comment out "!authenticate" matches to preserve user data
+ sed -i "s/^${entry}$/# &/g" $f
+ done <<< "$matching_list"
+
+ /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+ fi
+done
+
+ - name: Find /etc/sudoers.d/ files
+ find:
+ paths:
+ - /etc/sudoers.d/
+ register: sudoers
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-11
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_require_authentication
+
+- name: Remove lines containing NOPASSWD from sudoers files
+ replace:
+ regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)
+ replace: '# \g<1>'
+ path: '{{ item.path }}'
+ validate: /usr/sbin/visudo -cf %s
+ with_items:
+ - path: /etc/sudoers
+ - '{{ sudoers.files }}'
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-11
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_require_authentication
+
+- name: Find /etc/sudoers.d/ files
+ find:
+ paths:
+ - /etc/sudoers.d/
+ register: sudoers
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-11
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_require_authentication
+
+- name: Remove lines containing !authenticate from sudoers files
+ replace:
+ regexp: (^(?!#).*[\s]+\!authenticate.*$)
+ replace: '# \g<1>'
+ path: '{{ item.path }}'
+ validate: /usr/sbin/visudo -cf %s
+ with_items:
+ - path: /etc/sudoers
+ - '{{ sudoers.files }}'
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-11
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_require_authentication
+
+
+
+
+
+
+
+
+
+ Only the VDSM User Can Use sudo NOPASSWD
+ The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. Only the vdsm user should have this capability in any sudo configuration snippets in /etc/sudoers.d/.
+ Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate.
+
+
+
+
+
+
+
+
+ Explicit arguments in sudo specifications
+ All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.
+If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.
+ This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments.
+ The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that. For example, root ALL=(ALL) echo 1\,2 allows root to execute echo 1,2, but the check would interpret it as two commands echo 1\ and 2.
+ BP28(R63)
+ Any argument can modify quite significantly the behavior of a program, whether regarding the
+realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To
+avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the
+level of its specification.
+
+For example, on some systems, the kernel messages are only accessible by root.
+If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted
+in order to prevent the user from flushing the buffer through the -c option:
+
+user ALL = dmesg ""
+
+
+
+
+
+
+
+
+
+
+ Don't define allowed commands in sudoers by means of exclusion
+ Policies applied by sudo through the sudoers file should not involve negation.
+
+Each user specification in the sudoers file contains a comma-delimited list of command specifications.
+The definition can make use glob patterns, as well as of negations.
+Indirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.
+ This rule doesn't come with a remediation, as negations indicate design issues with the sudoers user specifications design. Just removing negations doesn't increase the security - you typically have to rethink the definition of allowed commands to fix the issue.
+ BP28(R61)
+ Specifying access right using negation is inefficient and can be easily circumvented.
+For example, it is expected that a specification like
+# To avoid absolutely , this rule can be easily circumvented!
+user ALL = ALL ,!/ bin/sh
+ prevents the execution of the shell
+but that’s not the case: just copy the binary /bin/sh to a different name to make it executable
+again through the rule keyword ALL.
+
+
+
+
+
+
+
+
+
+ Don't target root user in the sudoers file
+ The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root).
+
+User specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), and ALL or root should not be used.
+ This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable.
+ BP28(R60)
+ It is common that the command to be executed does not require superuser rights (editing a file
+whose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit
+any attempt of privilege escalation through a command, it is better to apply normal user rights.
+
+
+
+
+
+
+
+
+
+
+ System Tooling / Utilities
+ The following checks evaluate the system for recommended base packages -- both for installation
+and removal.
+
+ Ensure gnutls-utils is installed
+ The gnutls-utils package can be installed with the following command:
+
+$ apt-get install gnutls-utils
+ FIA_X509_EXT.1
+ FIA_X509_EXT.2
+ SRG-OS-000480-GPOS-00227
+ GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
+protocols and technologies around them. It provides a simple C language
+application programming interface (API) to access the secure communications
+protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
+other required structures.
+This package contains command line TLS client and server and certificate
+manipulation tools.
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "gnutls-utils"
+
+ - name: Ensure gnutls-utils is installed
+ package:
+ name: gnutls-utils
+ state: present
+ tags:
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_gnutls-utils_installed
+
+ include install_gnutls-utils
+
+class install_gnutls-utils {
+ package { 'gnutls-utils':
+ ensure => 'installed',
+ }
+}
+
+
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+
+
+
+
+
+
+
+
+
+ Ensure nss-tools is installed
+ The nss-tools package can be installed with the following command:
+
+$ apt-get install nss-tools
+ FMT_SMF_EXT.1
+ SRG-OS-000480-GPOS-00227
+ Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Install the nss-tools package
+to install command-line tools to manipulate the NSS certificate
+and key database.
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "nss-tools"
+
+ - name: Ensure nss-tools is installed
+ package:
+ name: nss-tools
+ state: present
+ tags:
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_nss-tools_installed
+
+ include install_nss-tools
+
+class install_nss-tools {
+ package { 'nss-tools':
+ ensure => 'installed',
+ }
+}
+
+
+[[packages]]
+name = "nss-tools"
+version = "*"
+
+
+
+
+
+
+
+
+
+
+ Updating Software
+ The apt_get command line tool is used to install and
+update software packages. The system also provides a graphical
+software update tool in the System menu, in the Administration submenu,
+called Software Update.
+
+Ubuntu 18.04 systems contain an installed software catalog called
+the RPM database, which records metadata of installed packages. Consistently using
+apt_get or the graphical Software Update for all software installation
+allows for insight into the current inventory of installed software on the system.
+
+
+ Ensure Software Patches Installed
+
+If the system has an apt repository available, run the following command to install updates:
+$ apt update && apt full-upgrade
+
+
+NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
+dictates.
+ Ubuntu 18.04 does not have a corresponding OVAL CVE Feed. Therefore, this will result in a "not checked" result during a scan.
+ BP28(R08)
+ 18
+ 20
+ 4
+ 5.10.4.1
+ APO12.01
+ APO12.02
+ APO12.03
+ APO12.04
+ BAI03.10
+ DSS05.01
+ DSS05.02
+ CCI-000366
+ CCI-001227
+ 4.2.3
+ 4.2.3.12
+ 4.2.3.7
+ 4.2.3.9
+ A.12.6.1
+ A.14.2.3
+ A.16.1.3
+ A.18.2.2
+ A.18.2.3
+ SI-2(5)
+ SI-2(c)
+ CM-6(a)
+ ID.RA-1
+ PR.IP-12
+ FMT_MOF_EXT.1
+ Req-6.2
+ SRG-OS-000480-GPOS-00227
+ SRG-OS-000480-VMM-002000
+ Installing software updates is a fundamental mitigation against
+the exploitation of publicly-known vulnerabilities. If the most
+recent security patches and updates are not installed, unauthorized
+users may take advantage of weaknesses in the unpatched software. The
+lack of prompt attention to patching could result in a system compromise.
+ - name: Security patches are up to date
+ package:
+ name: '*'
+ state: latest
+ tags:
+ - CJIS-5.10.4.1
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SI-2(5)
+ - NIST-800-53-SI-2(c)
+ - PCI-DSS-Req-6.2
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - patch_strategy
+ - reboot_required
+ - security_patches_up_to_date
+ - skip_ansible_lint
+
+
+
+
+
+ Account and Access Control
+ In traditional Unix security, if an attacker gains
+shell access to a certain login account, they can perform any action
+or access any file to which that account has access. Therefore,
+making it more difficult for unauthorized people to gain shell
+access to accounts, particularly to privileged accounts, is a
+necessary part of securing a system. This section introduces
+mechanisms for restricting access to accounts under
+Ubuntu 18.04.
+
+ Authselect profile
+ Specify the authselect profile to select
+ minimal
+ minimal
+ sssd
+
+
+ Warning Banners for System Accesses
+ Each system should expose as little information about
+itself as possible.
+
+System banners, which are typically displayed just before a
+login prompt, give out information about the service or the host's
+operating system. This might include the distribution name and the
+system kernel version, and the particular version of a network
+service. This information can assist intruders in gaining access to
+the system as it can reveal whether the system is running
+vulnerable software. Most network services can be configured to
+limit what information is displayed.
+
+Many organizations implement security policies that require a
+system banner provide notice of the system's ownership, provide
+warning to unauthorized users, and remind authorized users of their
+consent to monitoring.
+
+ Login Banner Verbiage
+ Enter an appropriate login banner for your organization. Please note that new lines must
+be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.
+ ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
+ ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
+ ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$
+ ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$
+ ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$
+ ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication\,[\s\n]+transmission\,[\s\n]+processing\,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems\,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations\,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity\,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes\,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information\,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user\,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use\,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$
+ ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$
+ ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
+
+
+ Implement a GUI Warning Banner
+ In the default graphical environment, users logging
+directly into the system are greeted with a login screen provided
+by the GNOME Display Manager (GDM). The warning banner should be
+displayed in this graphical environment for these users.
+The following sections describe how to configure the GDM login
+banner.
+
+
+
+
+ Protect Accounts by Configuring PAM
+ PAM, or Pluggable Authentication Modules, is a system
+which implements modular authentication for Linux programs. PAM provides
+a flexible and configurable architecture for authentication, and it should be configured
+to minimize exposure to unnecessary risk. This section contains
+guidance on how to accomplish that.
+
+PAM is implemented as a set of shared objects which are
+loaded and invoked whenever an application wishes to authenticate a
+user. Typically, the application must be running as root in order
+to take advantage of PAM, because PAM's modules often need to be able
+to access sensitive stores of account information, such as /etc/shadow.
+Traditional privileged network listeners
+(e.g. sshd) or SUID programs (e.g. sudo) already meet this
+requirement. An SUID root application, userhelper, is provided so
+that programs which are not SUID or privileged themselves can still
+take advantage of PAM.
+
+PAM looks in the directory /etc/pam.d for
+application-specific configuration information. For instance, if
+the program login attempts to authenticate a user, then PAM's
+libraries follow the instructions in the file /etc/pam.d/login
+to determine what actions should be taken.
+
+One very important file in /etc/pam.d is
+/etc/pam.d/system-auth. This file, which is included by
+many other PAM configuration files, defines 'default' system authentication
+measures. Modifying this file is a good way to make far-reaching
+authentication changes, for instance when implementing a
+centralized authentication service.
+ Be careful when making changes to PAM's configuration files.
+The syntax for these files is complex, and modifications can
+have unexpected consequences. The default configurations shipped
+with applications should be sufficient for most users.
+ Running authconfig or system-config-authentication
+will re-write the PAM configuration files, destroying any manually
+made changes and replacing them with a series of system defaults.
+One reference to the configuration file syntax can be found at
+
+https://fossies.org/linux/Linux-PAM-docs/doc/sag/Linux-PAM_SAG.pdf.
+
+ Password Hashing algorithm
+ Specify the system default encryption algorithm for encrypting passwords.
+Defines the value set as ENCRYPT_METHOD in /etc/login.defs.
+ SHA512
+ SHA512
+ SHA256
+
+
+ remember
+ The last n passwords for each user are saved in
+/etc/security/opasswd in order to force password change history and
+keep the user from alternating between the same password too
+frequently.
+ 0
+ 10
+ 24
+ 2
+ 4
+ 5
+ 5
+
+
+ Disallow Configuration to Bypass Password Requirements for Privilege Escalation
+ Verify the operating system is not configured to bypass password requirements for privilege
+escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
+$ sudo grep pam_succeed_if /etc/pam.d/sudo
+If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.
+ CCI-002038
+ IA-11
+ SRG-OS-000373-GPOS-00156
+ SRG-OS-000373-GPOS-00157
+ SRG-OS-000373-GPOS-00158
+ Without re-authentication, users may access resources or perform tasks for which they do not
+have authorization. When operating systems provide the capability to escalate a functional
+capability, it is critical the user re-authenticate.
+
+
+
+
+
+
+
+
+
+ Ensure PAM Displays Last Logon/Access Notification
+ To configure the system to notify users of last logon/access
+using pam_lastlog, add or correct the pam_lastlog
+settings in
+/etc/pam.d/login to read as follows:
+session required pam_lastlog.so showfailed
+And make sure that the silent option is not set for
+pam_lastlog module.
+ 1
+ 12
+ 15
+ 16
+ 5.5.2
+ DSS05.04
+ DSS05.10
+ DSS06.10
+ CCI-000052
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ 0582
+ 0584
+ 05885
+ 0586
+ 0846
+ 0957
+ A.18.1.4
+ A.9.2.1
+ A.9.2.4
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ AC-9
+ AC-9(1)
+ PR.AC-7
+ Req-10.2.4
+ SRG-OS-000480-GPOS-00227
+ Users need to be aware of activity that occurs regarding
+their account. Providing users with information regarding the number
+of unsuccessful attempts that were made to login to their account
+allows the user to determine if any unauthorized activity has occurred
+and gives them an opportunity to notify administrators.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then
+
+if [ -e "/etc/pam.d/login" ] ; then
+ PAM_FILE_PATH="/etc/pam.d/login"
+ if [ -f /usr/bin/authselect ]; then
+
+ if ! authselect check; then
+ echo "
+ authselect integrity check failed. Remediation aborted!
+ This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+ It is not recommended to manually edit the PAM files when authselect tool is available.
+ In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+ exit 1
+ fi
+
+ CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+ # If not already in use, a custom profile is created preserving the enabled features.
+ if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+ ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+ authselect create-profile hardening -b $CURRENT_PROFILE
+ CURRENT_PROFILE="custom/hardening"
+
+ authselect apply-changes -b --backup=before-hardening-custom-profile
+ authselect select $CURRENT_PROFILE
+ for feature in $ENABLED_FEATURES; do
+ authselect enable-feature $feature;
+ done
+
+ authselect apply-changes -b --backup=after-hardening-custom-profile
+ fi
+ PAM_FILE_NAME=$(basename "/etc/pam.d/login")
+ PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+ authselect apply-changes -b
+ fi
+ if ! grep -qP '^\s*session\s+'"required"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then
+ # Line matching group + control + module was not found. Check group + module.
+ if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
+ # The control is updated only if one single line matches.
+ sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"required"' \2/' "$PAM_FILE_PATH"
+ else
+ sed -i --follow-symlinks '1i session '"required"' pam_lastlog.so' "$PAM_FILE_PATH"
+ fi
+ fi
+ # Check the option
+ if ! grep -qP '^\s*session\s+'"required"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks '/\s*session\s+'"required"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH"
+ fi
+ if [ -f /usr/bin/authselect ]; then
+
+ authselect apply-changes -b
+ fi
+else
+ echo "/etc/pam.d/login was not found" >&2
+fi
+if [ -e "/etc/pam.d/login" ] ; then
+ PAM_FILE_PATH="/etc/pam.d/login"
+ if [ -f /usr/bin/authselect ]; then
+
+ if ! authselect check; then
+ echo "
+ authselect integrity check failed. Remediation aborted!
+ This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
+ It is not recommended to manually edit the PAM files when authselect tool is available.
+ In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
+ exit 1
+ fi
+
+ CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
+ # If not already in use, a custom profile is created preserving the enabled features.
+ if [[ ! $CURRENT_PROFILE == custom/* ]]; then
+ ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
+ authselect create-profile hardening -b $CURRENT_PROFILE
+ CURRENT_PROFILE="custom/hardening"
+
+ authselect apply-changes -b --backup=before-hardening-custom-profile
+ authselect select $CURRENT_PROFILE
+ for feature in $ENABLED_FEATURES; do
+ authselect enable-feature $feature;
+ done
+
+ authselect apply-changes -b --backup=after-hardening-custom-profile
+ fi
+ PAM_FILE_NAME=$(basename "/etc/pam.d/login")
+ PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
+
+ authselect apply-changes -b
+ fi
+
+if grep -qP '^\s*session\s.*\bpam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks 's/(.*session.*pam_lastlog.so.*)\bsilent\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+fi
+ if [ -f /usr/bin/authselect ]; then
+
+ authselect apply-changes -b
+ fi
+else
+ echo "/etc/pam.d/login was not found" >&2
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+ Set Lockouts for Failed Password Attempts
+ The pam_faillock PAM module provides the capability to
+lock out user accounts after a number of failed login attempts. Its
+documentation is available in
+/usr/share/doc/pam-VERSION/txts/README.pam_faillock.
+
+ Locking out user accounts presents the
+risk of a denial-of-service attack. The lockout policy
+must weigh whether the risk of such a
+denial-of-service attack outweighs the benefits of thwarting
+password guessing attacks.
+
+ fail_deny
+ Number of failed login attempts before account lockout
+ 10
+ 3
+ 4
+ 5
+ 6
+ 3
+
+
+ faillock directory
+ The directory where the user files with the failure records are kept
+ /var/log/faillock
+ /var/log/faillock
+
+
+ fail_interval
+ Interval for counting failed login attempts before account lockout
+ 100000000
+ 1800
+ 3600
+ 86400
+ 900
+ 900
+
+
+ fail_unlock_time
+ Seconds before automatic unlocking or permanently locking after excessive failed logins
+ 1800
+ 3600
+ 600
+ 604800
+ 86400
+ 900
+ 0
+ 0
+
+
+ tally2_unlock_time
+ Seconds before automatic unlocking or permanently locking after excessive failed logins
+ 1800
+ 3600
+ 600
+ 604800
+ 86400
+ 900
+ 0
+ 0
+
+
+ faildelay_delay
+ Delay next login attempt after a failed login
+ 0
+ 4000000
+ 4000000
+
+
+ pwhistory_remember
+ Prevent password re-use using password history lookup
+ 0
+ 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5
+
+
+ PAM pwhistory remember - control flag
+ 'Specify the control flag required for password remember requirement. If multiple
+values are allowed write them separated by commas as in "required,requisite",
+for remediations the first value will be taken'
+ required
+ optional
+ requisite
+ sufficient
+ binding
+ required,requisite
+ requisite
+
+
+ tally2
+ Number of failed login attempts
+ 1
+ 2
+ 3
+ 4
+ 5
+ 3
+
+
+ Account Lockouts Must Be Logged
+ PAM faillock locks an account due to excessive password failures, this event must be logged.
+ This rule is deprecated in favor of the accounts_passwords_pam_faillock_audit rule.
+Please consider replacing this rule in your files as it is not expected to receive
+updates as of version 0.1.65.
+ CCI-000044
+ AC-7 (a)
+ SRG-OS-000021-GPOS-00005
+ Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.
+
+
+
+
+
+
+
+
+ Account Lockouts Must Persist
+ By setting a `dir` in the faillock configuration account lockouts will persist across reboots.
+ This rule is deprecated in favor of the accounts_passwords_pam_faillock_dir rule.
+Please consider replacing this rule in your files as it is not expected to receive
+updates as of version 0.1.65.
+ CCI-000044
+ AC-7 (a)
+ Having lockouts persist across reboots ensures that account is only unlocked by an administrator.
+If the lockouts did not persist across reboots an attack could simply reboot the system to continue brute force attacks against the accounts on the system.
+
+
+
+
+
+
+ Account Lockouts Must Be Logged
+ PAM faillock locks an account due to excessive password failures, this event must be logged.
+ CCI-000044
+ AC-7 (a)
+ SRG-OS-000021-GPOS-00005
+ Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.
+
+
+
+
+
+
+
+
+
+ Set Password Quality Requirements
+ The default pam_pwquality PAM module provides strength
+checking for passwords. It performs a number of checks, such as
+making sure passwords are not similar to dictionary words, are of
+at least a certain length, are not the previous password reversed,
+and are not simply a change of case from the previous password. It
+can also require passwords to be in certain character classes. The
+pam_pwquality module is the preferred way of configuring
+password requirements.
+
+The man pages pam_pwquality(8)
+provide information on the capabilities and configuration of
+each.
+
+ Set Password Quality Requirements, if using
+pam_cracklib
+ The pam_cracklib PAM module can be configured to meet
+requirements for a variety of policies.
+
+For example, to configure pam_cracklib to require at least one uppercase
+character, lowercase character, digit, and other (special)
+character, locate the following line in /etc/pam.d/system-auth:
+password requisite pam_cracklib.so try_first_pass retry=3
+and then alter it to read:
+password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
+If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth.
+The arguments can be modified to ensure compliance with
+your organization's security policy. Discussion of each parameter follows.
+ Note that the password quality requirements are not enforced for the
+root account for some reason.
+
+
+ Set Password Quality Requirements with pam_pwquality
+ The pam_pwquality PAM module can be configured to meet
+requirements for a variety of policies.
+
+For example, to configure pam_pwquality to require at least one uppercase
+character, lowercase character, digit, and other (special)
+character, make sure that pam_pwquality exists in /etc/pam.d/system-auth:
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth.
+Next, modify the settings in /etc/security/pwquality.conf to match the following:
+difok = 4
+minlen = 14
+dcredit = -1
+ucredit = -1
+lcredit = -1
+ocredit = -1
+maxrepeat = 3
+The arguments can be modified to ensure compliance with
+your organization's security policy. Discussion of each parameter follows.
+
+ dcredit
+ Minimum number of digits in password
+ 0
+ -1
+ -2
+ -1
+
+
+ dictcheck
+ Prevent the use of dictionary words for passwords.
+ 1
+ 1
+
+
+ difok
+ Minimum number of characters not present in old
+password
+ 15
+ 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 8
+
+
+ lcredit
+ Minimum number of lower case in password
+ 0
+ -1
+ -2
+ -1
+
+
+ maxclassrepeat
+ Maximum Number of Consecutive Repeating Characters in a Password From the Same Character Class
+ 1
+ 2
+ 3
+ 4
+ 4
+
+
+ maxrepeat
+ Maximum Number of Consecutive Repeating Characters in a Password
+ 1
+ 2
+ 3
+ 3
+
+
+ minclass
+ Minimum number of categories of characters that must exist in a password
+ 1
+ 2
+ 3
+ 4
+ 3
+
+
+ minlen
+ Minimum number of characters in password
+ 10
+ 12
+ 14
+ 15
+ 18
+ 20
+ 6
+ 7
+ 8
+ 15
+
+
+ ocredit
+ Minimum number of other (special characters) in
+password
+ 0
+ -1
+ -2
+ -1
+
+
+ retry
+ Number of retry attempts before erroring out
+ 1
+ 2
+ 3
+ 4
+ 5
+ 3
+
+
+ ucredit
+ Minimum number of upper case in password
+ 0
+ -1
+ -2
+ -1
+
+
+
+
+ Set Password Hashing Algorithm
+ The system's default algorithm for storing password hashes in
+/etc/shadow is SHA-512. This can be configured in several
+locations.
+
+
+
+ Protect Physical Console Access
+ It is impossible to fully protect a system from an
+attacker with physical access, so securing the space in which the
+system is located should be considered a necessary step. However,
+there are some steps which, if taken, make it more difficult for an
+attacker to quickly or undetectably modify a system from its
+console.
+
+ Login timeout for idle sessions
+ Specify duration of allowed idle time.
+ 600
+ 7200
+ 840
+ 900
+ 1800
+ 300
+ 3600
+ 300
+
+
+ Configure Screen Locking
+ When a user must temporarily leave an account
+logged-in, screen locking should be employed to prevent passersby
+from abusing the account. User education and training is
+particularly important for screen locking to be effective, and policies
+can be implemented to reinforce this.
+
+Automatic screen locking is only meant as a safeguard for
+those cases where a user forgot to lock the screen.
+
+ Configure Console Screen Locking
+ A console screen locking mechanism is a temporary action taken when a user
+stops work and moves away from the immediate physical vicinity of the
+information system but does not logout because of the temporary nature of
+the absence. Rather than relying on the user to manually lock their
+operation system session prior to vacating the vicinity, operating systems
+need to be able to identify when a user's session has idled and take action
+to initiate the session lock.
+
+
+ Hardware Tokens for Authentication
+ The use of hardware tokens such as smart cards for system login
+provides stronger, two-factor authentication than using a username and password.
+
+In Red Hat Enterprise Linux servers and workstations, hardware token login
+
+is not enabled by default and must be enabled in the system settings.
+
+
+ OpenSC Smart Card Drivers
+ Choose the Smart Card Driver in use by your organization.
+For DoD, choose the cac driver.
+If your driver is not listed and you don't want to use the
+default driver, use the other option and
+manually specify your driver.
+ default
+ acos5
+ akis
+ asepcos
+ atrust-acos
+ authentic
+ belpic
+ cac
+ cardos
+ coolkey
+ cyberflex
+ dnie
+ entersafe
+ epass2003
+ flex
+ gemsafeV1
+ gids
+ gpk
+ iasecc
+ incrypto34
+ isoApplet
+ itacns
+ jpki
+ MaskTech
+ mcrd
+ muscle
+ myeid
+ npa
+ oberthur
+ openpgp
+ None
+ PIV-II
+ rutoken_ecp
+ rutoken
+ sc-hsm
+ setcos
+ starcos
+ tcos
+ westcos
+
+
+
+
+
+ Protect Accounts by Restricting Password-Based Login
+ Conventionally, Unix shell accounts are accessed by
+providing a username and password to a login program, which tests
+these values for correctness using the /etc/passwd and
+/etc/shadow files. Password-based login is vulnerable to
+guessing of weak passwords, and to sniffing and man-in-the-middle
+attacks against passwords entered over a network or at an insecure
+console. Therefore, mechanisms for accessing accounts by entering
+usernames and passwords should be restricted to those which are
+operationally necessary.
+
+ Accounts Authorized Local Users on the Operating System
+ List the user accounts that are authorized locally on the operating system. This list
+includes both users requried by the operating system and by the installed applications.
+Depending on the Operating System distribution, version, software groups and applications,
+the user list is different and can be customized with scap-workbench.
+OVAL regular expression is used for the user list.
+The list starts with '^' and ends with '$' so that it matches exactly the
+username, not any string that includes the username. Users are separated with '|'.
+For example, three users: bin, oracle and sapadm are allowed, then the list is
+^(bin|oracle|sapadm)$. The user root is the only user that is hard coded
+in OVAL that is always allowed on the operating system.
+ ^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$
+ ^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$
+ ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$
+ ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$
+ ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$
+ ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc)$
+ ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc|messagebus|nscd)$
+
+
+ Set Account Expiration Parameters
+ Accounts can be configured to be automatically disabled
+after a certain time period,
+meaning that they will require administrator interaction to become usable again.
+Expiration of accounts after inactivity can be set for all accounts by default
+and also on a per-account basis, such as for accounts that are known to be temporary.
+To configure automatic expiration of an account following
+the expiration of its password (that is, after the password has expired and not been changed),
+run the following command, substituting NUM_DAYS and USER appropriately:
+$ sudo chage -I NUM_DAYS USER
+Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with the
+-E option.
+The file /etc/default/useradd controls
+default settings for all newly-created accounts created with the system's
+normal command line utilities.
+ This will only apply to newly created accounts
+
+ number of days after the last login of the user when the user will be locked out
+ 'This option is specific for the auth or account phase. It specifies the number of days after
+the last login of the user when the user will be locked out by the pam_lastlog module.'
+ 0
+ 180
+ 30
+ 35
+ 40
+ 60
+ 90
+ 35
+
+
+ number of days after a password expires until the account is permanently disabled
+ The number of days to wait after a password expires, until the account will be permanently disabled.
+ 0
+ 180
+ 30
+ 35
+ 40
+ 60
+ 90
+ 35
+
+
+ Ensure All Accounts on the System Have Unique Names
+ Ensure accounts on the system have unique names.
+
+To ensure all accounts have unique names, run the following command:
+$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
+If a username is returned, change or delete the username.
+ 5.5.2
+ CCI-000770
+ CCI-000804
+ Req-8.1.1
+ Unique usernames allow for accountability on the system.
+
+
+
+
+
+
+
+
+ Use Centralized and Automated Authentication
+ Implement an automated system for managing user accounts that minimizes the
+risk of errors, either intentional or deliberate. This system
+should integrate with an existing enterprise user management system, such as
+one based on Identity Management tools such as Active Directory, Kerberos,
+Directory Server, etc.
+ A comprehensive account management process that includes automation helps to
+ensure the accounts designated as requiring attention are consistently and
+promptly addressed. Enterprise environments make user account management
+challenging and complex. A user management process requiring administrators to
+manually address account management functions adds risk of potential
+oversight.
+
+
+
+
+
+
+ Set Password Expiration Parameters
+ The file /etc/login.defs controls several
+password-related settings. Programs such as passwd,
+su, and
+login consult /etc/login.defs to determine
+behavior with regard to password aging, expiration warnings,
+and length. See the man page login.defs(5) for more information.
+
+Users should be forced to change their passwords, in order to
+decrease the utility of compromised passwords. However, the need to
+change passwords often should be balanced against the risk that
+users will reuse or write down passwords if forced to change them
+too often. Forcing password changes every 90-360 days, depending on
+the environment, is recommended. Set the appropriate value as
+PASS_MAX_DAYS and apply it to existing accounts with the
+-M flag.
+
+The PASS_MIN_DAYS (-m) setting prevents password
+changes for 7 days after the first change, to discourage password
+cycling. If you use this setting, train users to contact an administrator
+for an emergency password change in case a new password becomes
+compromised. The PASS_WARN_AGE (-W) setting gives
+users 7 days of warnings at login time that their passwords are about to expire.
+
+For example, for each existing human user USER, expiration parameters
+could be adjusted to a 180 day maximum password age, 7 day minimum password
+age, and 7 day warning period with the following command:
+$ sudo chage -M 180 -m 7 -W 7 USER
+
+ maximum password age
+ Maximum age of password in days
+ 365
+ 120
+ 180
+ 60
+ 90
+ 60
+
+
+ minimum password age
+ Minimum age of password in days
+ 0
+ 1
+ 2
+ 5
+ 7
+ 7
+
+
+ minimum password length
+ Minimum number of characters in password
+ This will only check new passwords
+ 10
+ 12
+ 14
+ 15
+ 18
+ 20
+ 6
+ 8
+ 15
+
+
+ warning days before password expires
+ The number of days' warning given before a password expires.
+ This will only apply to newly created accounts
+ 0
+ 14
+ 7
+ 7
+
+
+ Set Password Maximum Age
+ To specify password maximum age for new accounts,
+edit the file /etc/login.defs
+and add or correct the following line:
+PASS_MAX_DAYS
+A value of 180 days is sufficient for many environments.
+The DoD requirement is 60.
+The profile requirement is .
+ BP28(R18)
+ 1
+ 12
+ 15
+ 16
+ 5
+ 5.6.2.1
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ 3.5.6
+ CCI-000199
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ 0418
+ 1055
+ 1402
+ A.18.1.4
+ A.7.1.1
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ IA-5(f)
+ IA-5(1)(d)
+ CM-6(a)
+ PR.AC-1
+ PR.AC-6
+ PR.AC-7
+ Req-8.2.4
+ SRG-OS-000076-GPOS-00044
+ Any password, no matter how complex, can eventually be cracked. Therefore, passwords
+need to be changed periodically. If the operating system does not limit the lifetime
+of passwords and force users to change their passwords, there is the risk that the
+operating system passwords could be compromised.
+
+Setting the password maximum age ensures users are required to
+periodically change their passwords. Requiring shorter password lifetimes
+increases the risk of users writing down the password in a convenient
+location subject to physical compromise.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null | grep -q installed; then
+
+var_accounts_maximum_age_login_defs=''
+
+
+grep -q ^PASS_MAX_DAYS /etc/login.defs && \
+ sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs
+if ! [ $? -eq 0 ]; then
+ echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+ Set Password Minimum Age
+ To specify password minimum age for new accounts,
+edit the file /etc/login.defs
+and add or correct the following line:
+PASS_MIN_DAYS
+A value of 1 day is considered sufficient for many
+environments. The DoD requirement is 1.
+The profile requirement is .
+ 1
+ 12
+ 15
+ 16
+ 5
+ 5.6.2.1.1
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ 3.5.8
+ CCI-000198
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ 0418
+ 1055
+ 1402
+ A.18.1.4
+ A.7.1.1
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ IA-5(f)
+ IA-5(1)(d)
+ CM-6(a)
+ PR.AC-1
+ PR.AC-6
+ PR.AC-7
+ Req-8.3.9
+ SRG-OS-000075-GPOS-00043
+ Enforcing a minimum password lifetime helps to prevent repeated password
+changes to defeat the password reuse or history enforcement requirement. If
+users are allowed to immediately and continually change their password,
+then the password could be repeatedly changed in a short period of time to
+defeat the organization's policy regarding password reuse.
+
+Setting the minimum password age protects against users cycling back to a
+favorite password after satisfying the password reuse requirement.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null | grep -q installed; then
+
+var_accounts_minimum_age_login_defs=''
+
+
+grep -q ^PASS_MIN_DAYS /etc/login.defs && \
+ sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs
+if ! [ $? -eq 0 ]; then
+ echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+ Set Password Minimum Length in login.defs
+ To specify password length requirements for new accounts, edit the file
+/etc/login.defs and add or correct the following line:
+PASS_MIN_LEN
+
+The DoD requirement is 15.
+The FISMA requirement is 12.
+The profile requirement is
+.
+If a program consults /etc/login.defs and also another PAM module
+(such as pam_pwquality) during a password change operation, then
+the most restrictive must be satisfied. See PAM section for more
+information about enforcing password quality requirements.
+ BP28(R18)
+ 1
+ 12
+ 15
+ 16
+ 5
+ 5.6.2.1
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ 3.5.7
+ CCI-000205
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ 0421
+ 0422
+ 0431
+ 0974
+ 1173
+ 1401
+ 1504
+ 1505
+ 1546
+ 1557
+ 1558
+ 1559
+ 1560
+ 1561
+ A.18.1.4
+ A.7.1.1
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ IA-5(f)
+ IA-5(1)(a)
+ CM-6(a)
+ PR.AC-1
+ PR.AC-6
+ PR.AC-7
+ SRG-OS-000078-GPOS-00046
+ Requiring a minimum password length makes password
+cracking attacks more difficult by ensuring a larger
+search space. However, any security benefit from an onerous requirement
+must be carefully weighed against usability problems, support costs, or counterproductive
+behavior that may result.
+
+
+
+
+
+
+
+
+
+
+ Set Password Warning Age
+ To specify how many days prior to password
+expiration that a warning will be issued to users,
+edit the file /etc/login.defs and add or correct
+ the following line:
+PASS_WARN_AGE
+The DoD requirement is 7.
+The profile requirement is .
+ 1
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 7
+ 8
+ DSS01.03
+ DSS03.05
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ 3.5.8
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 6.2
+ 0418
+ 1055
+ 1402
+ A.12.4.1
+ A.12.4.3
+ A.18.1.4
+ A.6.1.2
+ A.7.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.1
+ A.9.4.2
+ A.9.4.3
+ A.9.4.4
+ A.9.4.5
+ IA-5(f)
+ IA-5(1)(d)
+ CM-6(a)
+ DE.CM-1
+ DE.CM-3
+ PR.AC-1
+ PR.AC-4
+ PR.AC-6
+ PR.AC-7
+ Req-8.3.9
+ Setting the password warning age enables users to
+make the change at a practical time.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null | grep -q installed; then
+
+var_accounts_password_warn_age_login_defs=''
+
+
+grep -q ^PASS_WARN_AGE /etc/login.defs && \
+sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs
+if ! [ $? -eq 0 ]
+then
+ echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" >> /etc/login.defs
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+
+ Verify Proper Storage and Existence of Password
+Hashes
+ By default, password hashes for local accounts are stored
+in the second field (colon-separated) in
+/etc/shadow. This file should be readable only by
+processes running with root credentials, preventing users from
+casually accessing others' password hashes and attempting
+to crack them.
+However, it remains possible to misconfigure the system
+and store password hashes
+in world-readable files such as /etc/passwd, or
+to even store passwords themselves in plaintext on the system.
+Using system-provided tools for password change/creation
+should allow administrators to avoid such misconfiguration.
+
+ Password Hashing algorithm
+ Specify the number of SHA rounds for the system password encryption algorithm.
+Defines the value set in /etc/pam.d/system-auth and /etc/pam.d/password-auth
+ 5000
+ 5000
+ 65536
+
+
+ Verify All Account Password Hashes are Shadowed
+ If any password hashes are stored in /etc/passwd (in the second field,
+instead of an x or *), the cause of this misconfiguration should be
+investigated. The account should have its password reset and the hash should be
+properly stored, or the account should be deleted entirely.
+ 1
+ 12
+ 15
+ 16
+ 5
+ 5.5.2
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ 3.5.10
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ 1410
+ A.18.1.4
+ A.7.1.1
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ IA-5(h)
+ CM-6(a)
+ PR.AC-1
+ PR.AC-6
+ PR.AC-7
+ Req-8.2.1
+ The hashes for all user account passwords should be stored in
+the file /etc/shadow and never in /etc/passwd,
+which is readable by all users.
+
+
+
+
+
+
+
+
+
+ All GIDs referenced in /etc/passwd must be defined in /etc/group
+ Add a group to the system for each GID referenced without a corresponding group.
+ 1
+ 12
+ 15
+ 16
+ 5
+ 5.5.2
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ CCI-000764
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ A.18.1.4
+ A.7.1.1
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.2.3
+ CIP-004-6 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.2
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ IA-2
+ CM-6(a)
+ PR.AC-1
+ PR.AC-6
+ PR.AC-7
+ Req-8.5.a
+ SRG-OS-000104-GPOS-00051
+ If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group
+with the Group Identifier (GID) is subsequently created, the user may have unintended rights to
+any files associated with the group.
+
+
+
+
+
+
+
+
+ Prevent Login to Accounts With Empty Password
+ If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the
+nullok in
+
+/etc/pam.d/system-auth and
+/etc/pam.d/password-auth
+
+to prevent logins with empty passwords.
+ If the system relies on authselect tool to manage PAM settings, the remediation
+will also use authselect tool. However, if any manual modification was made in
+PAM files, the authselect integrity check will fail and the remediation will be
+aborted in order to preserve intentional changes. In this case, an informative message will
+be shown in the remediation report.
+Note that this rule is not applicable for systems running within a
+container. Having user with empty password within a container is not
+considered a risk, because it should not be possible to directly login into
+a container anyway.
+ 1
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 5.5.2
+ APO01.06
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.02
+ DSS06.03
+ DSS06.10
+ 3.1.1
+ 3.1.5
+ CCI-000366
+ 164.308(a)(1)(ii)(B)
+ 164.308(a)(7)(i)
+ 164.308(a)(7)(ii)(A)
+ 164.310(a)(1)
+ 164.310(a)(2)(i)
+ 164.310(a)(2)(ii)
+ 164.310(a)(2)(iii)
+ 164.310(b)
+ 164.310(c)
+ 164.310(d)(1)
+ 164.310(d)(2)(iii)
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.18.1.4
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.1
+ A.9.4.2
+ A.9.4.3
+ A.9.4.4
+ A.9.4.5
+ IA-5(1)(a)
+ IA-5(c)
+ CM-6(a)
+ PR.AC-1
+ PR.AC-4
+ PR.AC-6
+ PR.AC-7
+ PR.DS-5
+ FIA_UAU.1
+ Req-8.2.3
+ SRG-OS-000480-GPOS-00227
+ If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+
+
+
+
+
+
+
+
+
+ Ensure There Are No Accounts With Blank or Null Passwords
+ Check the "/etc/shadow" file for blank passwords with the
+following command:
+$ sudo awk -F: '!$2 {print $1}' /etc/shadow
+If the command returns any results, this is a finding.
+Configure all accounts on the system to have a password or lock
+the account with the following commands:
+Perform a password reset:
+$ sudo passwd [username]
+Lock an account:
+$ sudo passwd -l [username]
+ Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.
+ CCI-000366
+ CM-6(b)
+ CM-6.1(iv)
+ SRG-OS-000480-GPOS-00227
+ If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational environments.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow)
+
+for user_with_empty_pass in "${users_with_empty_pass[@]}"
+do
+ passwd -l $user_with_empty_pass
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Collect users with no password
+ command: |
+ awk -F: '!$2 {print $1}' /etc/shadow
+ register: users_nopasswd
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(b)
+ - NIST-800-53-CM-6.1(iv)
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_empty_passwords_etc_shadow
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Lock users with no password
+ command: |
+ passwd -l {{ item }}
+ with_items: '{{ users_nopasswd.stdout_lines }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - users_nopasswd.stdout_lines | length > 0
+ tags:
+ - NIST-800-53-CM-6(b)
+ - NIST-800-53-CM-6.1(iv)
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_empty_passwords_etc_shadow
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Verify No netrc Files Exist
+ The .netrc files contain login information
+used to auto-login into FTP servers and reside in the user's home
+directory. These files may contain unencrypted passwords to
+remote FTP servers making them susceptible to access by unauthorized
+users and should not be used. Any .netrc files should be removed.
+ 1
+ 11
+ 12
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ DSS05.02
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.03
+ DSS06.06
+ DSS06.10
+ CCI-000196
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ A.18.1.4
+ A.6.1.2
+ A.7.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.1
+ A.9.4.2
+ A.9.4.3
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R1.3
+ CIP-003-8 R3
+ CIP-003-8 R3.1
+ CIP-003-8 R3.2
+ CIP-003-8 R3.3
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.2.3
+ CIP-004-6 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.2
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ IA-5(h)
+ IA-5(1)(c)
+ CM-6(a)
+ IA-5(7)
+ PR.AC-1
+ PR.AC-4
+ PR.AC-6
+ PR.AC-7
+ PR.PT-3
+ Unencrypted passwords for remote FTP servers may be stored in .netrc
+files.
+
+
+
+
+
+
+
+
+
+ Restrict Root Logins
+ Direct root logins should be allowed only for emergency use.
+In normal situations, the administrator should access the system
+via a unique unprivileged account, and then use su or sudo to execute
+privileged commands. Discouraging administrators from accessing the
+root account directly ensures an audit trail in organizations with
+multiple administrators. Locking down the channels through which
+root can connect directly also reduces opportunities for
+password-guessing against the root account. The login program
+uses the file /etc/securetty to determine which interfaces
+should allow root logins.
+
+The virtual devices /dev/console
+and /dev/tty* represent the system consoles (accessible via
+the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default
+installation). The default securetty file also contains /dev/vc/*.
+These are likely to be deprecated in most environments, but may be retained
+for compatibility. Root should also be prohibited from connecting
+via network protocols. Other sections of this document
+include guidance describing how to prevent root from logging in via SSH.
+
+ Verify Only Root Has UID 0
+ If any account other than root has a UID of 0, this misconfiguration should
+be investigated and the accounts other than root should be removed or have
+their UID changed.
+
+If the account is associated with system commands or applications the UID
+should be changed to one greater than "0" but less than "1000."
+Otherwise assign a UID greater than "1000" that has not already been
+assigned.
+ 1
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.02
+ DSS06.03
+ DSS06.10
+ 3.1.1
+ 3.1.5
+ CCI-000366
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.18.1.4
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.1
+ A.9.4.2
+ A.9.4.3
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.2.3
+ CIP-004-6 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.2
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ IA-2
+ AC-6(5)
+ IA-4(b)
+ PR.AC-1
+ PR.AC-4
+ PR.AC-6
+ PR.AC-7
+ PR.DS-5
+ Req-8.2.1
+ SRG-OS-000480-GPOS-00227
+ An account has root authority if it has a UID of 0. Multiple accounts
+with a UID of 0 afford more opportunity for potential intruders to
+guess a password for a privileged account. Proper configuration of
+sudo is recommended to afford multiple system administrators
+access to root privileges in an accountable manner.
+ awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --no-run-if-empty --max-lines=1 passwd -l
+
+
+
+
+
+
+
+
+
+ Verify Root Has A Primary GID 0
+ The root user should have a primary group of 0.
+ Req-8.2.1
+ To help ensure that root-owned files are not inadvertently exposed to other users.
+
+
+
+
+
+
+
+
+ Direct root Logins Not Allowed
+ To further limit access to the root account, administrators
+can disable root logins at the console by editing the /etc/securetty file.
+This file lists all devices the root user is allowed to login to. If the file does
+not exist at all, the root user can login through any communication device on the
+system, whether via the console or via a raw network interface. This is dangerous
+as user can login to the system as root via Telnet, which sends the password in
+plain text over the network. By default, Ubuntu 18.04's
+/etc/securetty file only allows the root user to login at the console
+physically attached to the system. To prevent root from logging in, remove the
+contents of this file. To prevent direct root logins, remove the contents of this
+file by typing the following command:
+
+$ sudo echo > /etc/securetty
+
+ This rule only checks the /etc/securetty file existence and its content.
+If you need to restrict user access using the /etc/securetty file, make sure
+the pam_securetty.so PAM module is properly enabled in relevant PAM files.
+ BP28(R19)
+ 1
+ 12
+ 15
+ 16
+ 5
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ 3.1.1
+ 3.1.6
+ 164.308(a)(1)(ii)(B)
+ 164.308(a)(7)(i)
+ 164.308(a)(7)(ii)(A)
+ 164.310(a)(1)
+ 164.310(a)(2)(i)
+ 164.310(a)(2)(ii)
+ 164.310(a)(2)(iii)
+ 164.310(b)
+ 164.310(c)
+ 164.310(d)(1)
+ 164.310(d)(2)(iii)
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ A.18.1.4
+ A.7.1.1
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.2.3
+ CIP-004-6 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.2
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ IA-2
+ CM-6(a)
+ PR.AC-1
+ PR.AC-6
+ PR.AC-7
+ Req-8.6.1
+ Disabling direct root logins ensures proper accountability and multifactor
+authentication to privileged accounts. Users will first login, then escalate
+to privileged (root) access via su / sudo. This is required for FISMA Low
+and FISMA Moderate systems.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+echo > /etc/securetty
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Direct root Logins Not Allowed
+ copy:
+ dest: /etc/securetty
+ content: ''
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.1
+ - NIST-800-171-3.1.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-2
+ - PCI-DSS-Req-8.6.1
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_direct_root_logins
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Ensure that System Accounts Are Locked
+ Some accounts are not associated with a human user of the system, and exist to
+perform some administrative function. An attacker should not be able to log into
+these accounts.
+
+System accounts are those user accounts with a user ID
+less than UID_MIN, where value of the UID_MIN directive is set in
+/etc/login.defs configuration file. In the default configuration UID_MIN is set
+to 500, thus system accounts are those user accounts with a user ID less than
+500. If any system account SYSACCT (other than root) has an unlocked password,
+disable it with the command:
+$ sudo passwd -l SYSACCT
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ AC-6
+ CM-6(a)
+ Disabling authentication for default system accounts makes it more difficult
+for attackers to make use of them to compromise a system.false
+
+
+
+
+
+ Restrict Serial Port Root Logins
+ To restrict root logins on serial ports,
+ensure lines of this form do not appear in /etc/securetty:
+ttyS0
+ttyS1
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ 3.1.1
+ 3.1.5
+ CCI-000770
+ 164.308(a)(1)(ii)(B)
+ 164.308(a)(7)(i)
+ 164.308(a)(7)(ii)(A)
+ 164.310(a)(1)
+ 164.310(a)(2)(i)
+ 164.310(a)(2)(ii)
+ 164.310(a)(2)(iii)
+ 164.310(b)
+ 164.310(c)
+ 164.310(d)(1)
+ 164.310(d)(2)(iii)
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ AC-6
+ CM-6(a)
+ PR.AC-4
+ PR.DS-5
+ Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
+ sed -i '/ttyS/d' /etc/securetty
+
+
+
+
+
+
+
+
+
+ Restrict Virtual Console Root Logins
+ To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in /etc/securetty:
+vc/1
+vc/2
+vc/3
+vc/4
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ 3.1.1
+ 3.1.5
+ CCI-000770
+ 164.308(a)(1)(ii)(B)
+ 164.308(a)(7)(i)
+ 164.308(a)(7)(ii)(A)
+ 164.310(a)(1)
+ 164.310(a)(2)(i)
+ 164.310(a)(2)(ii)
+ 164.310(a)(2)(iii)
+ 164.310(b)
+ 164.310(c)
+ 164.310(d)(1)
+ 164.310(d)(2)(iii)
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ AC-6
+ CM-6(a)
+ PR.AC-4
+ PR.DS-5
+ Req-8.6.1
+ SRG-OS-000324-GPOS-00125
+ Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
+ sed -i '/^vc\//d' /etc/securetty
+
+
+
+
+
+
+
+
+
+
+
+ Secure Session Configuration Files for Login Accounts
+ When a user logs into a Unix account, the system
+configures the user's session by reading a number of files. Many of
+these files are located in the user's home directory, and may have
+weak permissions as a result of user error or misconfiguration. If
+an attacker can modify or even read certain types of account
+configuration information, they can often gain full access to the
+affected user's account. Therefore, it is important to test and
+correct configuration file permissions for interactive accounts,
+particularly those of privileged users such as root or system
+administrators.
+
+ Maximum login attempts delay
+ Maximum time in seconds between fail login attempts before re-prompting.
+ 1
+ 2
+ 3
+ 4
+ 5
+ 4
+
+
+ Maximum concurrent login sessions
+ Maximum number of concurrent sessions by a user
+ 1
+ 10
+ 15
+ 20
+ 3
+ 5
+ 1
+
+
+ Account Inactivity Timeout (seconds)
+ In an interactive shell, the value is interpreted as the
+number of seconds to wait for input after issuing the primary prompt.
+Bash terminates after waiting for that number of seconds if input does
+not arrive.
+ 1800
+ 600
+ 900
+ 300
+ 600
+
+
+ Interactive users initialization files
+ 'A regular expression describing a list of file names
+for files that are sourced at login time for interactive users'
+ (\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)
+
+
+ Ensure the Logon Failure Delay is Set Correctly in login.defs
+ To ensure the logon failure delay controlled by /etc/login.defs is set properly,
+add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
+FAIL_DELAY
+ 11
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ CCI-000366
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ AC-7(b)
+ CM-6(a)
+ PR.IP-1
+ SRG-OS-000480-GPOS-00226
+ Increasing the time between a failed authentication attempt and re-prompting to
+enter credentials helps to slow a single-threaded brute force attack.
+
+
+
+
+
+
+
+
+
+
+ Limit the Number of Concurrent Login Sessions Allowed Per User
+ Limiting the number of allowed users and sessions per user can limit risks related to Denial of
+Service attacks. This addresses concurrent sessions for a single account and does not address
+concurrent sessions by a single user via multiple accounts. To set the number of concurrent
+sessions per user add the following line in /etc/security/limits.conf or
+a file under /etc/security/limits.d/:
+* hard maxlogins
+ 14
+ 15
+ 18
+ 9
+ 5.5.2.2
+ DSS01.05
+ DSS05.02
+ CCI-000054
+ 4.3.3.4
+ SR 3.1
+ SR 3.8
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.14.1.2
+ A.14.1.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.2
+ AC-10
+ CM-6(a)
+ PR.AC-5
+ SRG-OS-000027-GPOS-00008
+ SRG-OS-000027-VMM-000080
+ Limiting simultaneous user logins can insulate the system from denial of service
+problems caused by excessive logins. Automated login processes operating improperly or
+maliciously may result in an exceptional number of simultaneous login sessions.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then
+
+var_accounts_max_concurrent_login_sessions=''
+
+
+if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then
+ sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf
+elif grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.conf; then
+ sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf
+else
+ echo "* hard maxlogins $var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+ Configure Polyinstantiation of /tmp Directories
+ To configure polyinstantiated /tmp directories, first create the parent directories
+which will hold the polyinstantiation child directories. Use the following command:
+$ sudo mkdir --mode 000 /tmp/tmp-inst
+Then, add the following entry to /etc/security/namespace.conf:
+/tmp /tmp/tmp-inst/ level root,adm
+ BP28(R39)
+ Polyinstantiation of temporary directories is a proactive security measure
+which reduces chances of attacks that are made possible by /tmp
+directories being world-writable.
+ if ! [ -d /tmp/tmp-inst ] ; then
+ mkdir --mode 000 /tmp/tmp-inst
+fi
+chmod 000 /tmp/tmp-inst
+chcon --reference=/tmp /tmp/tmp-inst
+
+if ! grep -Eq '^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then
+ if grep -Eq '^\s*/tmp\s+' /etc/security/namespace.conf ; then
+ sed -i '/^\s*\/tmp/d' /etc/security/namespace.conf
+ fi
+ echo "/tmp /tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf
+fi
+
+
+
+
+
+
+
+
+
+ Configure Polyinstantiation of /var/tmp Directories
+ To configure polyinstantiated /tmp directories, first create the parent directories
+which will hold the polyinstantiation child directories. Use the following command:
+$ sudo mkdir --mode 000 /var/tmp/tmp-inst
+Then, add the following entry to /etc/security/namespace.conf:
+/var/tmp /var/tmp/tmp-inst/ level root,adm
+ BP28(R39)
+ Polyinstantiation of temporary directories is a proactive security measure
+which reduces chances of attacks that are made possible by /var/tmp
+directories being world-writable.
+ if ! [ -d /tmp-inst ] ; then
+ mkdir --mode 000 /var/tmp/tmp-inst
+fi
+chmod 000 /var/tmp/tmp-inst
+chcon --reference=/var/tmp/ /var/tmp/tmp-inst
+
+if ! grep -Eq '^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then
+ if grep -Eq '^\s*/var/tmp\s+' /etc/security/namespace.conf ; then
+ sed -i '/^\s*\/var\/tmp/d' /etc/security/namespace.conf
+ fi
+ echo "/var/tmp /var/tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf
+fi
+
+
+
+
+
+
+
+
+
+ Ensure that User Home Directories are not Group-Writable or World-Readable
+ For each human user of the system, view the
+permissions of the user's home directory:
+# ls -ld /home/USER
+Ensure that the directory is not group-writable and that it
+is not world-readable. If necessary, repair the permissions:
+# chmod g-w /home/USER
+# chmod o-rwx /home/USER
+ This action may involve modifying user home directories.
+Notify your user community, and solicit input if appropriate,
+before making this type of change.
+ This rule is deprecated in favor of the file_permissions_home_directories rule.
+Please consider replacing this rule in your files as it is not expected to receive
+updates as of version 0.1.62.
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-000225
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ CM-6(a)
+ PR.AC-4
+ PR.DS-5
+ User home directories contain many configuration files which
+affect the behavior of a user's account. No user should ever have
+write permission to another user's home directory. Group shared
+directories can be configured in sub-directories or elsewhere in the
+filesystem if they are needed. Typically, user home directories
+should not be world-readable, as it would disclose file names
+to other users. If a subset of users need read access
+to one another's home directories, this can be provided using
+groups or ACLs.
+
+for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do
+ # Only update the permissions when necessary. This will avoid changing the inode timestamp when
+ # the permission is already defined as expected, therefore not impacting in possible integrity
+ # check systems that also check inodes timestamps.
+ find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
+done
+
+ - name: Get all local users from /etc/passwd
+ ansible.builtin.getent:
+ database: passwd
+ split: ':'
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-6(a)
+ - file_permissions_home_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Create local_users variable from the getent output
+ ansible.builtin.set_fact:
+ local_users: '{{ ansible_facts.getent_passwd|dict2items }}'
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-6(a)
+ - file_permissions_home_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Test for existence home directories to avoid creating them.
+ ansible.builtin.stat:
+ path: '{{ item.value[4] }}'
+ register: path_exists
+ loop: '{{ local_users }}'
+ when:
+ - item.value[1]|int >= 1000
+ - item.value[1]|int != 65534
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-6(a)
+ - file_permissions_home_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Ensure interactive local users have proper permissions on their respective
+ home directories
+ ansible.builtin.file:
+ path: '{{ item.0.value[4] }}'
+ mode: u-s,g-w-s,o=-
+ follow: false
+ recurse: false
+ loop: '{{ local_users|zip(path_exists.results)|list }}'
+ when: item.1.stat is defined and item.1.stat.exists
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-6(a)
+ - file_permissions_home_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Ensure that No Dangerous Directories Exist in Root's Path
+ The active path of the root account can be obtained by
+starting a new root shell and running:
+# echo $PATH
+This will produce a colon-separated list of
+directories in the path.
+
+Certain path elements could be considered dangerous, as they could lead
+to root executing unknown or
+untrusted programs, which could contain malicious
+code.
+Since root may sometimes work inside
+untrusted directories, the . character, which represents the
+current directory, should never be in the root path, nor should any
+directory which can be written to by an unprivileged or
+semi-privileged (system) user.
+
+It is a good practice for administrators to always execute
+privileged commands by typing the full path to the
+command.
+
+ Ensure that Root's Path Does Not Include World or Group-Writable Directories
+ For each element in root's path, run:
+# ls -ld DIR
+and ensure that write permissions are disabled for group and
+other.
+ 11
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ CCI-000366
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ CM-6(a)
+ CM-6(a)
+ PR.IP-1
+ Such entries increase the risk that root could
+execute code provided by unprivileged users,
+and potentially malicious code.
+
+
+
+
+
+
+
+
+ Ensure that Root's Path Does Not Include Relative Paths or Null Directories
+ Ensure that none of the directories in root's path is equal to a single
+. character, or
+that it contains any instances that lead to relative path traversal, such as
+.. or beginning a path without the slash (/) character.
+Also ensure that there are no "empty" elements in the path, such as in these examples:
+PATH=:/bin
+PATH=/bin:
+PATH=/bin::/sbin
+These empty elements have the same effect as a single . character.
+ 11
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ CCI-000366
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ CM-6(a)
+ CM-6(a)
+ PR.IP-1
+ Including these entries increases the risk that root could
+execute code from an untrusted location.
+
+
+
+
+
+
+ Ensure that Users Have Sensible Umask Values
+ The umask setting controls the default permissions
+for the creation of new files.
+With a default umask setting of 077, files and directories
+created by users will not be readable by any other user on the
+system. Users who wish to make specific files group- or
+world-readable can accomplish this by using the chmod command.
+Additionally, users can make all their files readable to their
+group by default by setting a umask of 027 in their shell
+configuration files. If default per-user groups exist (that is, if
+every user has a default group whose name is the same as that
+user's username and whose only member is the user), then it may
+even be safe for users to select a umask of 007, making it very
+easy to intentionally share files with groups of which the user is
+a member.
+
+
+ Sensible umask
+ Enter default user umask
+ 007
+ 022
+ 027
+ 077
+ 027
+
+
+ Ensure the Default Umask is Set Correctly in login.defs
+ To ensure the default umask controlled by /etc/login.defs is set properly,
+add or correct the UMASK setting in /etc/login.defs to read as follows:
+UMASK
+ BP28(R35)
+ 11
+ 18
+ 3
+ 9
+ APO13.01
+ BAI03.01
+ BAI03.02
+ BAI03.03
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ CCI-000366
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.1.1
+ A.14.2.1
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.14.2.5
+ A.6.1.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ AC-6(1)
+ CM-6(a)
+ PR.IP-1
+ PR.IP-2
+ Req-8.6.1
+ SRG-OS-000480-GPOS-00228
+ The umask value influences the permissions assigned to files when they are created.
+A misconfigured umask value could result in files with excessive permissions that can be read and
+written to by unauthorized users.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null | grep -q installed; then
+
+var_accounts_user_umask=''
+
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/login.defs"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^UMASK")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s %s" "$stripped_key" "$var_accounts_user_umask"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^UMASK\\>" "/etc/login.defs"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/login.defs"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+ Ensure the Default Umask is Set Correctly in /etc/profile
+ To ensure the default umask controlled by /etc/profile is set properly,
+add or correct the umask setting in /etc/profile to read as follows:
+umask
+ BP28(R35)
+ 18
+ APO13.01
+ BAI03.01
+ BAI03.02
+ BAI03.03
+ CCI-000366
+ 4.3.4.3.3
+ A.14.1.1
+ A.14.2.1
+ A.14.2.5
+ A.6.1.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ AC-6(1)
+ CM-6(a)
+ PR.IP-2
+ Req-8.6.1
+ SRG-OS-000480-GPOS-00228
+ SRG-OS-000480-GPOS-00227
+ The umask value influences the permissions assigned to files when they are created.
+A misconfigured umask value could result in files with excessive permissions that can be read or
+written to by unauthorized users.
+
+var_accounts_user_umask=''
+
+
+grep -qE '^[^#]*umask' /etc/profile && \
+ sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile
+if ! [ $? -eq 0 ]; then
+ echo "umask $var_accounts_user_umask" >> /etc/profile
+fi
+
+ - name: XCCDF Value var_accounts_user_umask # promote to variable
+ set_fact:
+ var_accounts_user_umask: !!str
+ tags:
+ - always
+
+- name: Check if umask is already set
+ ansible.builtin.lineinfile:
+ path: /etc/profile
+ regexp: (^[\s]*umask)\s+(\d+)
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_umask_is_set
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.6.1
+ - accounts_umask_etc_profile
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Replace user umask in /etc/profile
+ ansible.builtin.replace:
+ path: /etc/profile
+ regexp: ^(\s*)umask\s+\d+
+ replace: \1umask {{ var_accounts_user_umask }}
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.6.1
+ - accounts_umask_etc_profile
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Append user umask in /etc/profile
+ ansible.builtin.lineinfile:
+ create: true
+ path: /etc/profile
+ line: umask {{ var_accounts_user_umask }}
+ when: result_umask_is_set.found == 0
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.6.1
+ - accounts_umask_etc_profile
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+
+
+
+
+ System Accounting with auditd
+ The audit service provides substantial capabilities
+for recording system activities. By default, the service audits about
+SELinux AVC denials and certain types of security-relevant events
+such as system logins, account modifications, and authentication
+events performed by programs such as sudo.
+Under its default configuration, auditd has modest disk space
+requirements, and should not noticeably impact system performance.
+
+NOTE: The Linux Audit daemon auditd can be configured to use
+the augenrules program to read audit rules files (*.rules)
+located in /etc/audit/rules.d location and compile them to create
+the resulting form of the /etc/audit/audit.rules configuration file
+during the daemon startup (default configuration). Alternatively, the auditd
+daemon can use the auditctl utility to read audit rules from the
+/etc/audit/audit.rules configuration file during daemon startup,
+and load them into the kernel. The expected behavior is configured via the
+appropriate ExecStartPost directive setting in the
+/usr/lib/systemd/system/auditd.service configuration file.
+To instruct the auditd daemon to use the augenrules program
+to read audit rules (default configuration), use the following setting:
+ ExecStartPost=-/sbin/augenrules --load
+in the /usr/lib/systemd/system/auditd.service configuration file.
+In order to instruct the auditd daemon to use the auditctl
+utility to read audit rules, use the following setting:
+ ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
+in the /usr/lib/systemd/system/auditd.service configuration file.
+Refer to [Service] section of the /usr/lib/systemd/system/auditd.service
+configuration file for further details.
+
+Government networks often have substantial auditing
+requirements and auditd can be configured to meet these
+requirements.
+Examining some example audit records demonstrates how the Linux audit system
+satisfies common requirements.
+The following example from Red Hat Enterprise Linux 7 Documentation available at
+https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages
+shows the substantial amount of information captured in a
+two typical "raw" audit messages, followed by a breakdown of the most important
+fields. In this example the message is SELinux-related and reports an AVC
+denial (and the associated system call) that occurred when the Apache HTTP
+Server attempted to access the /var/www/html/file1 file (labeled with
+the samba_share_t type):
+type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd"
+path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0
+tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
+
+type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13
+a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
+gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd"
+exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
+
+msg=audit(1226874073.147:96)The number in parentheses is the unformatted time stamp (Epoch time)
+for the event, which can be converted to standard time by using the
+date command.
+{ getattr }The item in braces indicates the permission that was denied. getattr
+indicates the source process was trying to read the target file's status information.
+This occurs before reading files. This action is denied due to the file being
+accessed having the wrong label. Commonly seen permissions include getattr,
+read, and write.comm="httpd"The executable that launched the process. The full path of the executable is
+found in the exe= section of the system call (SYSCALL) message,
+which in this case, is exe="/usr/sbin/httpd".
+path="/var/www/html/file1"The path to the object (target) the process attempted to access.
+scontext="unconfined_u:system_r:httpd_t:s0"The SELinux context of the process that attempted the denied action. In
+this case, it is the SELinux context of the Apache HTTP Server, which is running
+in the httpd_t domain.
+tcontext="unconfined_u:object_r:samba_share_t:s0"The SELinux context of the object (target) the process attempted to access.
+In this case, it is the SELinux context of file1. Note: the samba_share_t
+type is not accessible to processes running in the httpd_t domain. From the system call (SYSCALL) message, two items are of interest:
+success=no: indicates whether the denial (AVC) was enforced or not.
+success=no indicates the system call was not successful (SELinux denied
+access). success=yes indicates the system call was successful - this can
+be seen for permissive domains or unconfined domains, such as initrc_t
+and kernel_t.
+exe="/usr/sbin/httpd": the full path to the executable that launched
+the process, which in this case, is exe="/usr/sbin/httpd".
+
+
+
+
+ Ensure the default plugins for the audit dispatcher are Installed
+ The audit-audispd-plugins package should be installed.
+ CCI-001851
+ Req-10.5.3
+ SRG-OS-000342-GPOS-00133
+ Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "audispd-plugins"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure audispd-plugins is installed
+ package:
+ name: audispd-plugins
+ state: present
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - PCI-DSS-Req-10.5.3
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_audit-audispd-plugins_installed
+
+ include install_audispd-plugins
+
+class install_audispd-plugins {
+ package { 'audispd-plugins':
+ ensure => 'installed',
+ }
+}
+
+
+[[packages]]
+name = "audispd-plugins"
+version = "*"
+
+
+
+
+
+
+
+
+
+ Ensure the audit Subsystem is Installed
+ The audit package should be installed.
+ BP28(R50)
+ CCI-000130
+ CCI-000131
+ CCI-000132
+ CCI-000133
+ CCI-000134
+ CCI-000135
+ CCI-000154
+ CCI-000158
+ CCI-000172
+ CCI-001464
+ CCI-001487
+ CCI-001814
+ CCI-001875
+ CCI-001876
+ CCI-001877
+ CCI-001878
+ CCI-001879
+ CCI-001880
+ CCI-001881
+ CCI-001882
+ CCI-001889
+ CCI-001914
+ CCI-002884
+ CCI-000169
+ CIP-004-6 R3.3
+ CIP-007-3 R6.5
+ AC-7(a)
+ AU-7(1)
+ AU-7(2)
+ AU-14
+ AU-12(2)
+ AU-2(a)
+ CM-6(a)
+ FAU_GEN.1
+ Req-10.2.1
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000038-GPOS-00016
+ SRG-OS-000039-GPOS-00017
+ SRG-OS-000040-GPOS-00018
+ SRG-OS-000041-GPOS-00019
+ SRG-OS-000042-GPOS-00021
+ SRG-OS-000051-GPOS-00024
+ SRG-OS-000054-GPOS-00025
+ SRG-OS-000122-GPOS-00063
+ SRG-OS-000254-GPOS-00095
+ SRG-OS-000255-GPOS-00096
+ SRG-OS-000337-GPOS-00129
+ SRG-OS-000348-GPOS-00136
+ SRG-OS-000349-GPOS-00137
+ SRG-OS-000350-GPOS-00138
+ SRG-OS-000351-GPOS-00139
+ SRG-OS-000352-GPOS-00140
+ SRG-OS-000353-GPOS-00141
+ SRG-OS-000354-GPOS-00142
+ SRG-OS-000358-GPOS-00145
+ SRG-OS-000365-GPOS-00152
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000475-GPOS-00220
+ The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "auditd"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure auditd is installed
+ package:
+ name: auditd
+ state: present
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-7(a)
+ - NIST-800-53-AU-12(2)
+ - NIST-800-53-AU-14
+ - NIST-800-53-AU-2(a)
+ - NIST-800-53-AU-7(1)
+ - NIST-800-53-AU-7(2)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_audit_installed
+
+ include install_auditd
+
+class install_auditd {
+ package { 'auditd':
+ ensure => 'installed',
+ }
+}
+
+
+[[packages]]
+name = "auditd"
+version = "*"
+
+
+
+
+
+
+
+
+
+ Enable auditd Service
+ The auditd service is an essential userspace component of
+the Linux Auditing System, as it is responsible for writing audit records to
+disk.
+
+The auditd service can be enabled with the following command:
+$ sudo systemctl enable auditd.service
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.3.1
+ 3.3.2
+ 3.3.6
+ CCI-000126
+ CCI-000130
+ CCI-000131
+ CCI-000132
+ CCI-000133
+ CCI-000134
+ CCI-000135
+ CCI-000154
+ CCI-000158
+ CCI-000172
+ CCI-000366
+ CCI-001464
+ CCI-001487
+ CCI-001814
+ CCI-001875
+ CCI-001876
+ CCI-001877
+ CCI-002884
+ CCI-001878
+ CCI-001879
+ CCI-001880
+ CCI-001881
+ CCI-001882
+ CCI-001889
+ CCI-001914
+ CCI-000169
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(5)(ii)(C)
+ 164.310(a)(2)(iv)
+ 164.310(d)(2)(iii)
+ 164.312(b)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ CIP-004-6 R3.3
+ CIP-007-3 R6.5
+ AC-2(g)
+ AU-3
+ AU-10
+ AU-2(d)
+ AU-12(c)
+ AU-14(1)
+ AC-6(9)
+ CM-6(a)
+ SI-4(23)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1
+ Req-10.1
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000038-GPOS-00016
+ SRG-OS-000039-GPOS-00017
+ SRG-OS-000040-GPOS-00018
+ SRG-OS-000041-GPOS-00019
+ SRG-OS-000042-GPOS-00021
+ SRG-OS-000051-GPOS-00024
+ SRG-OS-000054-GPOS-00025
+ SRG-OS-000122-GPOS-00063
+ SRG-OS-000254-GPOS-00095
+ SRG-OS-000255-GPOS-00096
+ SRG-OS-000337-GPOS-00129
+ SRG-OS-000348-GPOS-00136
+ SRG-OS-000349-GPOS-00137
+ SRG-OS-000350-GPOS-00138
+ SRG-OS-000351-GPOS-00139
+ SRG-OS-000352-GPOS-00140
+ SRG-OS-000353-GPOS-00141
+ SRG-OS-000354-GPOS-00142
+ SRG-OS-000358-GPOS-00145
+ SRG-OS-000365-GPOS-00152
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000475-GPOS-00220
+ SRG-OS-000037-VMM-000150
+ SRG-OS-000063-VMM-000310
+ SRG-OS-000038-VMM-000160
+ SRG-OS-000039-VMM-000170
+ SRG-OS-000040-VMM-000180
+ SRG-OS-000041-VMM-000190
+ Without establishing what type of events occurred, it would be difficult
+to establish, correlate, and investigate the events leading up to an outage or attack.
+Ensuring the auditd service is active ensures audit records
+generated by the kernel are appropriately recorded.
+
+Additionally, a properly configured audit subsystem ensures that actions of
+individual system users can be uniquely traced to those users so they
+can be held accountable for their actions.
+
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; }; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'auditd.service'
+"$SYSTEMCTL_EXEC" start 'auditd.service'
+"$SYSTEMCTL_EXEC" enable 'auditd.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.3.1
+ - NIST-800-171-3.3.2
+ - NIST-800-171-3.3.6
+ - NIST-800-53-AC-2(g)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-10
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-14(1)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-AU-3
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SI-4(23)
+ - PCI-DSS-Req-10.1
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_auditd_enabled
+
+- name: Enable service auditd
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Enable service auditd
+ service:
+ name: auditd
+ enabled: 'yes'
+ state: started
+ masked: 'no'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"auditd" in ansible_facts.packages'
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.3.1
+ - NIST-800-171-3.3.2
+ - NIST-800-171-3.3.6
+ - NIST-800-53-AC-2(g)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-10
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-14(1)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-AU-3
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SI-4(23)
+ - PCI-DSS-Req-10.1
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_auditd_enabled
+
+ include enable_auditd
+
+class enable_auditd {
+ service {'auditd':
+ enable => true,
+ ensure => 'running',
+ }
+}
+
+
+[customizations.services]
+enabled = ["auditd"]
+
+
+
+
+
+
+
+
+
+ Configure auditd Rules for Comprehensive Auditing
+ The auditd program can perform comprehensive
+monitoring of system activity. This section describes recommended
+configuration settings for comprehensive auditing, but a full
+description of the auditing system's capabilities is beyond the
+scope of this guide. The mailing list linux-audit@redhat.com exists
+to facilitate community discussion of the auditing system.
+
+The audit subsystem supports extensive collection of events, including:
+
+Tracing of arbitrary system calls (identified by name or number)
+on entry or exit.Filtering by PID, UID, call success, system call argument (with
+some limitations), etc.Monitoring of specific files for modifications to the file's
+contents or metadata.
+
+Auditing rules at startup are controlled by the file /etc/audit/audit.rules.
+Add rules to it to meet the auditing requirements for your organization.
+Each line in /etc/audit/audit.rules represents a series of arguments
+that can be passed to auditctl and can be individually tested
+during runtime. See documentation in /usr/share/doc/audit-VERSION and
+in the related man pages for more details.
+
+If copying any example audit rulesets from /usr/share/doc/audit-VERSION,
+be sure to comment out the
+lines containing arch= which are not appropriate for your system's
+architecture. Then review and understand the following rules,
+ensuring rules are activated as needed for the appropriate
+architecture.
+
+After reviewing all the rules, reading the following sections, and
+editing as needed, the new rules can be activated as follows:
+$ sudo service auditd restart
+
+
+ Audit failure mode
+ This variable is the setting for the -f option in Audit configuration which sets the failure mode of audit.
+This option lets you determine how you want the kernel to handle critical errors.
+Possible values are: 0=silent, 1=printk, 2=panic.
+If the value is set to "2", the system is configured to panic (shut down) in the event of an auditing failure.
+If the value is set to "1", the system is configured to only send information to the kernel log regarding the failure.
+ 2
+ 0
+ 1
+ 2
+
+
+ Make the auditd Configuration Immutable
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d in order to make the auditd configuration
+immutable:
+-e 2
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file in order to make the auditd configuration
+immutable:
+-e 2
+With this setting, a reboot will be required to change any audit rules.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 19
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 5.4.1.1
+ APO01.06
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ BAI03.05
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.3.1
+ 3.4.3
+ CCI-000162
+ CCI-000163
+ CCI-000164
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.310(a)(2)(iv)
+ 164.312(d)
+ 164.310(d)(2)(iii)
+ 164.312(b)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.7.3
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.1
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 5.2
+ SR 6.1
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ AC-6(9)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ ID.SC-4
+ PR.AC-4
+ PR.DS-5
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ Req-10.5.2
+ SRG-OS-000057-GPOS-00027
+ SRG-OS-000058-GPOS-00028
+ SRG-OS-000059-GPOS-00029
+ Making the audit configuration immutable prevents accidental as
+well as malicious modification of the audit rules, although it may be
+problematic if legitimate changes are needed during system
+operation.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# Traverse all of:
+#
+# /etc/audit/audit.rules, (for auditctl case)
+# /etc/audit/rules.d/*.rules (for augenrules case)
+#
+# files to check if '-e .*' setting is present in that '*.rules' file already.
+# If found, delete such occurrence since auditctl(8) manual page instructs the
+# '-e 2' rule should be placed as the last rule in the configuration
+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
+
+# Append '-e 2' requirement at the end of both:
+# * /etc/audit/audit.rules file (for auditctl case)
+# * /etc/audit/rules.d/immutable.rules (for augenrules case)
+
+for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
+do
+ echo '' >> $AUDIT_FILE
+ echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE
+ echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE
+ echo '-e 2' >> $AUDIT_FILE
+ chmod o-rwx $AUDIT_FILE
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.3.1
+ - NIST-800-171-3.4.3
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.2
+ - audit_rules_immutable
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Collect all files from /etc/audit/rules.d with .rules extension
+ find:
+ paths: /etc/audit/rules.d/
+ patterns: '*.rules'
+ register: find_rules_d
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.3.1
+ - NIST-800-171-3.4.3
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.2
+ - audit_rules_immutable
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Remove the -e option from all Audit config files
+ lineinfile:
+ path: '{{ item }}'
+ regexp: ^\s*(?:-e)\s+.*$
+ state: absent
+ loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules'']
+ }}'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.3.1
+ - NIST-800-171-3.4.3
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.2
+ - audit_rules_immutable
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules
+ lineinfile:
+ path: '{{ item }}'
+ create: true
+ line: -e 2
+ mode: o-rwx
+ loop:
+ - /etc/audit/audit.rules
+ - /etc/audit/rules.d/immutable.rules
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.3.1
+ - NIST-800-171-3.4.3
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.2
+ - audit_rules_immutable
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Mandatory Access Controls
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d:
+-w /etc/selinux/ -p wa -k MAC-policy
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-w /etc/selinux/ -p wa -k MAC-policy
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.8
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ The system's mandatory access policy (SELinux) should not be
+arbitrarily changed by anything other than administrator action. All changes to
+MAC policy should be audited.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/MAC-policy.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/selinux/" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+ # Extract filepath from the match
+ rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+ # Append that path into list of files for inspection
+ files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+ # Append '/etc/audit/rules.d/MAC-policy.rules' into list of files for inspection
+ key_rule_file="/etc/audit/rules.d/MAC-policy.rules"
+ # If the MAC-policy.rules file doesn't exist yet, create it with correct permissions
+ if [ ! -e "$key_rule_file" ]
+ then
+ touch "$key_rule_file"
+ chmod 0640 "$key_rule_file"
+ fi
+ files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/selinux/" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/selinux/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/selinux/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/selinux/ -p wa -k MAC-policy" >> "$audit_rules_file"
+ fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+ Ensure auditd Collects Information on Exporting to Media (successful)
+ At a minimum, the audit system should collect media exportation
+events for all users and root. If the auditd daemon is configured to
+use the augenrules program to read audit rules during daemon startup
+(the default), add the following line to a file with suffix .rules in
+the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ AC-6(9)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ Req-10.2.7
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ The unauthorized exportation of data to external media could result in an information leak
+where classified information, Privacy Act information, and intellectual property could be lost. An audit
+trail should be created each time a filesystem is mounted to help identify and guard against information
+loss.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="mount"
+ KEY="perm_mod"
+ SYSCALL_GROUPING=""
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_media_export
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit mount tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_media_export
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for mount for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - mount
+ syscall_grouping: []
+
+ - name: Check existence of mount in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - mount
+ syscall_grouping: []
+
+ - name: Check existence of mount in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_media_export
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for mount for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - mount
+ syscall_grouping: []
+
+ - name: Check existence of mount in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - mount
+ syscall_grouping: []
+
+ - name: Check existence of mount in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_media_export
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Network Environment
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
+-w /etc/issue -p wa -k audit_rules_networkconfig_modification
+-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
+-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
+-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
+-w /etc/issue -p wa -k audit_rules_networkconfig_modification
+-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
+-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
+-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ AC-6(9)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ Req-10.5.5
+ The network environment should not be modified by anything other
+than administrator action. Any change to network parameters should be
+audited.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS=""
+ SYSCALL="sethostname setdomainname"
+ KEY="audit_rules_networkconfig_modification"
+ SYSCALL_GROUPING="sethostname setdomainname"
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+# Then perform the remediations for the watch rules
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+ # Extract filepath from the match
+ rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+ # Append that path into list of files for inspection
+ files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+ # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
+ key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
+ # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
+ if [ ! -e "$key_rule_file" ]
+ then
+ touch "$key_rule_file"
+ chmod 0640 "$key_rule_file"
+ fi
+ files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/issue.net" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+ # Extract filepath from the match
+ rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+ # Append that path into list of files for inspection
+ files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+ # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
+ key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
+ # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
+ if [ ! -e "$key_rule_file" ]
+ then
+ touch "$key_rule_file"
+ chmod 0640 "$key_rule_file"
+ fi
+ files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/hosts" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+ # Extract filepath from the match
+ rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+ # Append that path into list of files for inspection
+ files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+ # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
+ key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
+ # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
+ if [ ! -e "$key_rule_file" ]
+ then
+ touch "$key_rule_file"
+ chmod 0640 "$key_rule_file"
+ fi
+ files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sysconfig/network" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+ # Extract filepath from the match
+ rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+ # Append that path into list of files for inspection
+ files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+ # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
+ key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
+ # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
+ if [ ! -e "$key_rule_file" ]
+ then
+ touch "$key_rule_file"
+ chmod 0640 "$key_rule_file"
+ fi
+ files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" >> "$audit_rules_file"
+ fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+ Record Attempts to Alter Process and Session Initiation Information
+ The audit system already collects process information for all
+users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d in order to watch for attempted manual
+edits of files involved in storing such process information:
+-w /var/run/utmp -p wa -k session
+-w /var/log/btmp -p wa -k session
+-w /var/log/wtmp -p wa -k session
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file in order to watch for attempted manual
+edits of files involved in storing such process information:
+-w /var/run/utmp -p wa -k session
+-w /var/log/btmp -p wa -k session
+-w /var/log/wtmp -p wa -k session
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ 0582
+ 0584
+ 05885
+ 0586
+ 0846
+ 0957
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.2.3
+ Manual editing of these files may indicate nefarious activity, such
+as an attacker attempting to remove evidence of an intrusion.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/run/utmp" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+ # Extract filepath from the match
+ rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+ # Append that path into list of files for inspection
+ files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+ # Append '/etc/audit/rules.d/session.rules' into list of files for inspection
+ key_rule_file="/etc/audit/rules.d/session.rules"
+ # If the session.rules file doesn't exist yet, create it with correct permissions
+ if [ ! -e "$key_rule_file" ]
+ then
+ touch "$key_rule_file"
+ chmod 0640 "$key_rule_file"
+ fi
+ files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /var/run/utmp -p wa -k session" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/btmp" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+ # Extract filepath from the match
+ rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+ # Append that path into list of files for inspection
+ files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+ # Append '/etc/audit/rules.d/session.rules' into list of files for inspection
+ key_rule_file="/etc/audit/rules.d/session.rules"
+ # If the session.rules file doesn't exist yet, create it with correct permissions
+ if [ ! -e "$key_rule_file" ]
+ then
+ touch "$key_rule_file"
+ chmod 0640 "$key_rule_file"
+ fi
+ files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /var/log/btmp -p wa -k session" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /var/log/wtmp -p wa -k session" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/var/log/wtmp" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+ # Extract filepath from the match
+ rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+ # Append that path into list of files for inspection
+ files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+ # Append '/etc/audit/rules.d/session.rules' into list of files for inspection
+ key_rule_file="/etc/audit/rules.d/session.rules"
+ # If the session.rules file doesn't exist yet, create it with correct permissions
+ if [ ! -e "$key_rule_file" ]
+ then
+ touch "$key_rule_file"
+ chmod 0640 "$key_rule_file"
+ fi
+ files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /var/log/wtmp -p wa -k session" >> "$audit_rules_file"
+ fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+ Ensure auditd Collects System Administrator Actions
+ At a minimum, the audit system should collect administrator actions
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the default),
+add the following line to a file with suffix .rules in the directory
+/etc/audit/rules.d:
+-w /etc/sudoers -p wa -k actions
+-w /etc/sudoers.d/ -p wa -k actions
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-w /etc/sudoers -p wa -k actions
+-w /etc/sudoers.d/ -p wa -k actions
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS06.03
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000126
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.2.2
+ 4.3.3.3.9
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.1
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.1.2
+ A.6.2.1
+ A.6.2.2
+ A.7.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.1
+ A.9.4.2
+ A.9.4.3
+ A.9.4.4
+ A.9.4.5
+ AC-2(7)(b)
+ AU-2(d)
+ AU-12(c)
+ AC-6(9)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-1
+ PR.AC-3
+ PR.AC-4
+ PR.AC-6
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.2.1.5
+ Req-10.2.2
+ Req-10.2.5.b
+ SRG-OS-000004-GPOS-00004
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000304-GPOS-00121
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000470-GPOS-00214
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000239-GPOS-00089
+ SRG-OS-000240-GPOS-00090
+ SRG-OS-000241-GPOS-00091
+ SRG-OS-000303-GPOS-00120
+ SRG-OS-000304-GPOS-00121
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000476-GPOS-00221
+ SRG-OS-000462-VMM-001840
+ SRG-OS-000471-VMM-001910
+ The actions taken by system administrators should be audited to keep a record
+of what was executed on the system, as well as, for accountability purposes.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+ # Extract filepath from the match
+ rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+ # Append that path into list of files for inspection
+ files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+ # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection
+ key_rule_file="/etc/audit/rules.d/actions.rules"
+ # If the actions.rules file doesn't exist yet, create it with correct permissions
+ if [ ! -e "$key_rule_file" ]
+ then
+ touch "$key_rule_file"
+ chmod 0640 "$key_rule_file"
+ fi
+ files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/sudoers -p wa -k actions" >> "$audit_rules_file"
+ fi
+done
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/sudoers.d/" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+ # Extract filepath from the match
+ rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+ # Append that path into list of files for inspection
+ files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+ # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection
+ key_rule_file="/etc/audit/rules.d/actions.rules"
+ # If the actions.rules file doesn't exist yet, create it with correct permissions
+ if [ ! -e "$key_rule_file" ]
+ then
+ touch "$key_rule_file"
+ chmod 0640 "$key_rule_file"
+ fi
+ files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/sudoers.d/ -p wa -k actions" >> "$audit_rules_file"
+ fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
+ patterns: '*.rules'
+ register: find_existing_watch_rules_d
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Search /etc/audit/rules.d for other rules with specified key actions
+ find:
+ paths: /etc/audit/rules.d
+ contains: ^.*(?:-F key=|-k\s+)actions$
+ patterns: '*.rules'
+ register: find_watch_key
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
+ == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
+ set_fact:
+ all_files:
+ - /etc/audit/rules.d/actions.rules
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
+ is defined and find_existing_watch_rules_d.matched == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Use matched file as the recipient for the rule
+ set_fact:
+ all_files:
+ - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
+ is defined and find_existing_watch_rules_d.matched == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Add watch rule for /etc/sudoers in /etc/audit/rules.d/
+ lineinfile:
+ path: '{{ all_files[0] }}'
+ line: -w /etc/sudoers -p wa -k actions
+ create: true
+ mode: '0640'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
+ == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit/
+ contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
+ patterns: audit.rules
+ register: find_existing_watch_audit_rules
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Add watch rule for /etc/sudoers in /etc/audit/audit.rules
+ lineinfile:
+ line: -w /etc/sudoers -p wa -k actions
+ state: present
+ dest: /etc/audit/audit.rules
+ create: true
+ mode: '0640'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
+ == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
+ patterns: '*.rules'
+ register: find_existing_watch_rules_d
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Search /etc/audit/rules.d for other rules with specified key actions
+ find:
+ paths: /etc/audit/rules.d
+ contains: ^.*(?:-F key=|-k\s+)actions$
+ patterns: '*.rules'
+ register: find_watch_key
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
+ == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
+ set_fact:
+ all_files:
+ - /etc/audit/rules.d/actions.rules
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
+ is defined and find_existing_watch_rules_d.matched == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Use matched file as the recipient for the rule
+ set_fact:
+ all_files:
+ - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
+ is defined and find_existing_watch_rules_d.matched == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/rules.d/
+ lineinfile:
+ path: '{{ all_files[0] }}'
+ line: -w /etc/sudoers.d/ -p wa -k actions
+ create: true
+ mode: '0640'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
+ == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit/
+ contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
+ patterns: audit.rules
+ register: find_existing_watch_audit_rules
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/audit.rules
+ lineinfile:
+ line: -w /etc/sudoers.d/ -p wa -k actions
+ state: present
+ dest: /etc/audit/audit.rules
+ create: true
+ mode: '0640'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
+ == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-2(7)(b)
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.1.5
+ - PCI-DSS-Req-10.2.2
+ - PCI-DSS-Req-10.2.5.b
+ - audit_rules_sysadmin_actions
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify User/Group Information
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d, in order to capture events that modify
+account changes:
+-w /etc/group -p wa -k audit_rules_usergroup_modification
+-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file, in order to capture events that modify
+account changes:
+-w /etc/group -p wa -k audit_rules_usergroup_modification
+-w /etc/passwd -p wa -k audit_rules_usergroup_modification
+-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
+-w /etc/shadow -p wa -k audit_rules_usergroup_modification
+-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
+ This rule checks for multiple syscalls related to account changes;
+it was written with DISA STIG in mind. Other policies should use a
+separate rule for each syscall that needs to be checked. For example:
+audit_rules_usergroup_modification_groupaudit_rules_usergroup_modification_gshadowaudit_rules_usergroup_modification_passwd
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS06.03
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000018
+ CCI-000130
+ CCI-000172
+ CCI-001403
+ CCI-002130
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.2.2
+ 4.3.3.3.9
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.1
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.1.2
+ A.6.2.1
+ A.6.2.2
+ A.7.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.1
+ A.9.4.2
+ A.9.4.3
+ A.9.4.4
+ A.9.4.5
+ CIP-004-6 R2.2.2
+ CIP-004-6 R2.2.3
+ CIP-007-3 R.1.3
+ CIP-007-3 R5
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.3
+ CIP-007-3 R5.2.1
+ CIP-007-3 R5.2.3
+ AC-2(4)
+ AU-2(d)
+ AU-12(c)
+ AC-6(9)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-1
+ PR.AC-3
+ PR.AC-4
+ PR.AC-6
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ Req-10.2.5
+ SRG-OS-000004-GPOS-00004
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000239-GPOS-00089
+ SRG-OS-000241-GPOS-00090
+ SRG-OS-000241-GPOS-00091
+ SRG-OS-000303-GPOS-00120
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000476-GPOS-00221
+ In addition to auditing new user and group accounts, these watches
+will alert the system administrator(s) to any modifications. Any unexpected
+users, groups, or modifications should be investigated for legitimacy.
+
+
+
+
+
+
+
+
+ Record Access Events to Audit Log Directory
+ The audit system should collect access events to read audit log directory.
+The following audit rule will assure that access to audit log directory are
+collected.
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+rule to a file with suffix .rules in the directory
+/etc/audit/rules.d.
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the rule to
+/etc/audit/audit.rules file.
+ AU-2(d)
+ AU-12(c)
+ AC-6(9)
+ CM-6(a)
+ FAU_GEN.1.1.c
+ Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.'
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+ACTION_ARCH_FILTERS="-a always,exit"
+OTHER_FILTERS="-F dir=/var/log/audit/ -F perm=r"
+AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+SYSCALL=""
+KEY="access-audit-trail"
+SYSCALL_GROUPING=""
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+ System Audit Logs Must Have Mode 0750 or Less Permissive
+
+If log_group in /etc/audit/auditd.conf is set to a group other than the root
+group account, change the mode of the audit log files with the following command:
+$ sudo chmod 0750 /var/log/audit
+
+Otherwise, change the mode of the audit log files with the following command:
+$ sudo chmod 0700 /var/log/audit
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 19
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ APO01.06
+ APO11.04
+ APO12.06
+ BAI03.05
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ MEA02.01
+ CCI-000162
+ CCI-000163
+ CCI-000164
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.7.3
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.1
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 5.2
+ SR 6.1
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.2
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-004-6 R3.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CIP-007-3 R6.5
+ CM-6(a)
+ AC-6(1)
+ AU-9
+ DE.AE-3
+ DE.AE-5
+ PR.AC-4
+ PR.DS-5
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ SRG-OS-000057-GPOS-00027
+ SRG-OS-000058-GPOS-00028
+ SRG-OS-000059-GPOS-00029
+ If users can write to audit logs, audit trails can be modified or destroyed.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+if LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then
+ DIR=$(awk -F "=" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ' | rev | cut -d"/" -f2- | rev)
+else
+ DIR="/var/log/audit"
+fi
+
+
+if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
+ GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
+ if ! [ "${GROUP}" == 'root' ] ; then
+ chmod 0750 $DIR
+ else
+ chmod 0700 $DIR
+ fi
+else
+ chmod 0700 $DIR
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+ Audit Configuration Files Must Be Owned By Group root
+ All audit configuration files must be owned by group root.
+chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*
+ CCI-000171
+ SRG-OS-000063-GPOS-00032
+ Without the capability to restrict which roles and individuals can
+select which events are audited, unauthorized personnel may be able
+to prevent the auditing of critical events.
+Misconfigured audits may degrade the system's performance by
+overwhelming the audit log. Misconfigured audits may also make it more
+difficult to establish, correlate, and investigate the events relating
+to an incident or identify those responsible for one.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+find /etc/audit/ -maxdepth 1 -type f ! -gid 0 -regex '^audit(\.rules|d\.conf)$' -exec chgrp 0 {} \;
+
+
+find /etc/audit/rules.d/ -maxdepth 1 -type f ! -gid 0 -regex '^.*\.rules$' -exec chgrp 0 {} \;
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - configure_strategy
+ - file_groupownership_audit_configuration
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Find /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$
+ command: find -H /etc/audit/ -maxdepth 1 -type f ! -gid 0 -regex "^audit(\.rules|d\.conf)$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - configure_strategy
+ - file_groupownership_audit_configuration
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure group owner on /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$
+ file:
+ path: '{{ item }}'
+ group: '0'
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - configure_strategy
+ - file_groupownership_audit_configuration
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$
+ command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -gid 0 -regex "^.*\.rules$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - configure_strategy
+ - file_groupownership_audit_configuration
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure group owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$
+ file:
+ path: '{{ item }}'
+ group: '0'
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - configure_strategy
+ - file_groupownership_audit_configuration
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Audit Configuration Files Must Be Owned By Root
+ All audit configuration files must be owned by root user.
+
+To properly set the owner of /etc/audit/, run the command:
+$ sudo chown root /etc/audit/
+
+To properly set the owner of /etc/audit/rules.d/, run the command:
+$ sudo chown root /etc/audit/rules.d/
+ CCI-000171
+ SRG-OS-000063-GPOS-00032
+ Without the capability to restrict which roles and individuals can
+select which events are audited, unauthorized personnel may be able
+to prevent the auditing of critical events.
+Misconfigured audits may degrade the system's performance by
+overwhelming the audit log. Misconfigured audits may also make it more
+difficult to establish, correlate, and investigate the events relating
+to an incident or identify those responsible for one.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+find /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regex '^audit(\.rules|d\.conf)$' -exec chown 0 {} \;
+
+find /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\.rules$' -exec chown 0 {} \;
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - configure_strategy
+ - file_ownership_audit_configuration
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Find /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$
+ command: find -H /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regex "^audit(\.rules|d\.conf)$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - configure_strategy
+ - file_ownership_audit_configuration
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$
+ file:
+ path: '{{ item }}'
+ owner: '0'
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - configure_strategy
+ - file_ownership_audit_configuration
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$
+ command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regex "^.*\.rules$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - configure_strategy
+ - file_ownership_audit_configuration
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$
+ file:
+ path: '{{ item }}'
+ owner: '0'
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - configure_strategy
+ - file_ownership_audit_configuration
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ System Audit Logs Must Be Owned By Root
+ All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/.
+
+To properly set the owner of /var/log/audit, run the command:
+$ sudo chown root /var/log/audit
+
+To properly set the owner of /var/log/audit/*, run the command:
+$ sudo chown root /var/log/audit/*
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 19
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 5.4.1.1
+ APO01.06
+ APO11.04
+ APO12.06
+ BAI03.05
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ MEA02.01
+ 3.3.1
+ CCI-000162
+ CCI-000163
+ CCI-000164
+ CCI-001314
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.7.3
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.1
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 5.2
+ SR 6.1
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ AU-9(4)
+ DE.AE-3
+ DE.AE-5
+ PR.AC-4
+ PR.DS-5
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ Req-10.5.1
+ SRG-OS-000057-GPOS-00027
+ SRG-OS-000058-GPOS-00028
+ SRG-OS-000059-GPOS-00029
+ Unauthorized disclosure of audit records can reveal system and configuration data to
+attackers, thus compromising its confidentiality.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
+ GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')
+ if ! [ "${GROUP}" == 'root' ] ; then
+ chown root:${GROUP} /var/log/audit
+ chown root:${GROUP} /var/log/audit/audit.log*
+ else
+ chown root:root /var/log/audit
+ chown root:root /var/log/audit/audit.log*
+ fi
+else
+ chown root:root /var/log/audit
+ chown root:root /var/log/audit/audit.log*
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls
+ At a minimum, the audit system should collect file permission
+changes for all users and root. Note that the "-F arch=b32" lines should be
+present even on a 64 bit system. These commands identify system calls for
+auditing. Even if the system is 64 bit it can still execute 32 bit system
+calls. Additionally, these rules can be configured in a number of ways while
+still achieving the desired effect. An example of this is that the "-S" calls
+could be split up and placed on separate lines, however, this is less efficient.
+Add the following to /etc/audit/audit.rules:
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+If your system is 64 bit then these lines should be duplicated and the
+arch=b32 replaced with arch=b64 as follows:
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
+ Record Events that Modify the System's Discretionary Access Controls - chmod
+ At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured to
+use the augenrules program to read audit rules during daemon startup
+(the default), add the following line to a file with suffix .rules in
+the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000126
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000064-GPOS-00033
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000458-GPOS-00203
+ SRG-OS-000458-VMM-001810
+ SRG-OS-000474-VMM-001940
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="chmod"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="chmod fchmod fchmodat"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_chmod
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit chmod tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_chmod
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for chmod for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - chmod
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+
+ - name: Check existence of chmod in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - chmod
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+
+ - name: Check existence of chmod in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_chmod
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for chmod for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - chmod
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+
+ - name: Check existence of chmod in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - chmod
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+
+ - name: Check existence of chmod in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_chmod
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - chown
+ At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured to
+use the augenrules program to read audit rules during daemon startup
+(the default), add the following line to a file with suffix .rules in
+the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000126
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000064-GPOS-00033
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000458-GPOS-00203
+ SRG-OS-000474-GPOS-00219
+ SRG-OS-000458-VMM-001810
+ SRG-OS-000474-VMM-001940
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="chown"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="chown fchown fchownat lchown"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_chown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit chown tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_chown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for chown for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - chown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of chown in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - chown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of chown in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_chown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for chown for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - chown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of chown in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - chown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of chown in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_chown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - fchmod
+ At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured to
+use the augenrules program to read audit rules during daemon startup
+(the default), add the following line to a file with suffix .rules in
+the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000126
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000064-GPOS-00033
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000458-GPOS-00203
+ SRG-OS-000458-VMM-001810
+ SRG-OS-000474-VMM-001940
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="fchmod"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="chmod fchmod fchmodat"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchmod
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit fchmod tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchmod
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for fchmod for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchmod
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+
+ - name: Check existence of fchmod in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchmod
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+
+ - name: Check existence of fchmod in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchmod
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for fchmod for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchmod
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+
+ - name: Check existence of fchmod in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchmod
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+
+ - name: Check existence of fchmod in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchmod
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - fchmodat
+ At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured to
+use the augenrules program to read audit rules during daemon startup
+(the default), add the following line to a file with suffix .rules in
+the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000126
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000064-GPOS-00033
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000458-GPOS-00203
+ SRG-OS-000458-VMM-001810
+ SRG-OS-000474-VMM-001940
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="fchmodat"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="chmod fchmod fchmodat"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchmodat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit fchmodat tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchmodat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for fchmodat for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchmodat
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+
+ - name: Check existence of fchmodat in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchmodat
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+
+ - name: Check existence of fchmodat in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchmodat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for fchmodat for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchmodat
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+
+ - name: Check existence of fchmodat in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchmodat
+ syscall_grouping:
+ - chmod
+ - fchmod
+ - fchmodat
+
+ - name: Check existence of fchmodat in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchmodat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - fchown
+ At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000126
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000064-GPOS-00033
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000458-GPOS-00203
+ SRG-OS-000474-GPOS-00219
+ SRG-OS-000458-VMM-001810
+ SRG-OS-000474-VMM-001940
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="fchown"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="chown fchown fchownat lchown"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit fchown tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for fchown for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of fchown in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of fchown in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for fchown for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of fchown in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of fchown in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - fchownat
+ At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000126
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000064-GPOS-00033
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000458-GPOS-00203
+ SRG-OS-000474-GPOS-00219
+ SRG-OS-000458-VMM-001810
+ SRG-OS-000474-VMM-001940
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="fchownat"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="chown fchown fchownat lchown"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchownat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit fchownat tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchownat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for fchownat for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchownat
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of fchownat in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchownat
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of fchownat in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchownat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for fchownat for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchownat
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of fchownat in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fchownat
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of fchownat in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fchownat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - fremovexattr
+ At a minimum, the audit system should collect file permission
+changes for all users and root.
+
+If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000458-GPOS-00203
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000463-GPOS-00207
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000474-GPOS-00219
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000468-GPOS-00212
+ SRG-OS-000064-GPOS-00033
+ SRG-OS-000458-VMM-001810
+ SRG-OS-000474-VMM-001940
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="fremovexattr"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fremovexattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit fremovexattr tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fremovexattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for fremovexattr for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fremovexattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of fremovexattr in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fremovexattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of fremovexattr in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fremovexattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for fremovexattr for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fremovexattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of fremovexattr in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fremovexattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of fremovexattr in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fremovexattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - fsetxattr
+ At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000126
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000458-GPOS-00203
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000463-GPOS-00207
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000468-GPOS-00212
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000474-GPOS-00219
+ SRG-OS-000064-GPOS-00033
+ SRG-OS-000458-VMM-001810
+ SRG-OS-000474-VMM-001940
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="fsetxattr"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fsetxattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit fsetxattr tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fsetxattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for fsetxattr for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fsetxattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of fsetxattr in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fsetxattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of fsetxattr in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fsetxattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for fsetxattr for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fsetxattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of fsetxattr in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - fsetxattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of fsetxattr in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_fsetxattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - lchown
+ At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000126
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000064-GPOS-00033
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000458-GPOS-00203
+ SRG-OS-000474-GPOS-00219
+ SRG-OS-000458-VMM-001810
+ SRG-OS-000474-VMM-001940
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="lchown"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="chown fchown fchownat lchown"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_lchown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit lchown tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_lchown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for lchown for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - lchown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of lchown in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - lchown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of lchown in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_lchown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for lchown for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - lchown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of lchown in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - lchown
+ syscall_grouping:
+ - chown
+ - fchown
+ - fchownat
+ - lchown
+
+ - name: Check existence of lchown in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_lchown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - lremovexattr
+ At a minimum, the audit system should collect file permission
+changes for all users and root.
+
+If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000458-GPOS-00203
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000463-GPOS-00207
+ SRG-OS-000468-GPOS-00212
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000474-GPOS-00219
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000064-GPOS-00033
+ SRG-OS-000458-VMM-001810
+ SRG-OS-000474-VMM-001940
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="lremovexattr"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_lremovexattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit lremovexattr tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_lremovexattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for lremovexattr for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - lremovexattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of lremovexattr in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - lremovexattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of lremovexattr in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_lremovexattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for lremovexattr for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - lremovexattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of lremovexattr in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - lremovexattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of lremovexattr in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_lremovexattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - lsetxattr
+ At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000126
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000458-GPOS-00203
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000463-GPOS-00207
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000468-GPOS-00212
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000474-GPOS-00219
+ SRG-OS-000064-GPOS-00033
+ SRG-OS-000458-VMM-001810
+ SRG-OS-000474-VMM-001940
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="lsetxattr"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_lsetxattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit lsetxattr tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_lsetxattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for lsetxattr for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - lsetxattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of lsetxattr in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - lsetxattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of lsetxattr in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_lsetxattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for lsetxattr for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - lsetxattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of lsetxattr in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - lsetxattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of lsetxattr in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_lsetxattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - removexattr
+ At a minimum, the audit system should collect file permission
+changes for all users and root.
+
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add the
+following line to a file with suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000458-GPOS-00203
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000463-GPOS-00207
+ SRG-OS-000468-GPOS-00212
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000474-GPOS-00219
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000064-GPOS-00033
+ SRG-OS-000458-VMM-001810
+ SRG-OS-000474-VMM-001940
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="removexattr"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_removexattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit removexattr tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_removexattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for removexattr for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - removexattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of removexattr in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - removexattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of removexattr in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_removexattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for removexattr for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - removexattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of removexattr in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - removexattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of removexattr in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_removexattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - setxattr
+ At a minimum, the audit system should collect file permission
+changes for all users and root. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000126
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.5
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000064-GPOS-00033
+ SRG-OS-000458-GPOS-00203
+ SRG-OS-000458-VMM-001810
+ SRG-OS-000474-VMM-001940
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="setxattr"
+ KEY="perm_mod"
+ SYSCALL_GROUPING="fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr"
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_setxattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit setxattr tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_setxattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for setxattr for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - setxattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of setxattr in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - setxattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of setxattr in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_setxattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for setxattr for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - setxattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of setxattr in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - setxattr
+ syscall_grouping:
+ - fremovexattr
+ - lremovexattr
+ - removexattr
+ - fsetxattr
+ - lsetxattr
+ - setxattr
+
+ - name: Check existence of setxattr in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.5
+ - audit_rules_dac_modification_setxattr
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - umount
+ At a minimum, the audit system should collect file system umount
+changes. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ CCI-000130
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+ACTION_ARCH_FILTERS="-a always,exit -F arch=b32"
+OTHER_FILTERS=""
+AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+SYSCALL="umount"
+KEY="perm_mod"
+SYSCALL_GROUPING=""
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - audit_rules_dac_modification_umount
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for umount for x86 platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - umount
+ syscall_grouping: []
+
+ - name: Check existence of umount in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - umount
+ syscall_grouping: []
+
+ - name: Check existence of umount in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - audit_rules_dac_modification_umount
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Events that Modify the System's Discretionary Access Controls - umount2
+ At a minimum, the audit system should collect file system umount2
+changes. If the auditd daemon is configured
+to use the augenrules program to read audit rules during daemon
+startup (the default), add the following line to a file with suffix
+.rules in the directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod
+ Note that these rules can be configured in a
+number of ways while still achieving the desired effect. Here the system calls
+have been placed independent of other system calls. Grouping these system
+calls with others as identifying earlier in this guide is more efficient.
+ CCI-000130
+ CCI-000169
+ CCI-000172
+ CCI-002884
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ The changing of file permissions could indicate that a user is attempting to
+gain access to information that would otherwise be disallowed. Auditing DAC modifications
+can facilitate the identification of patterns of abuse among both authorized and
+unauthorized users.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="umount2"
+ KEY="perm_mod"
+ SYSCALL_GROUPING=""
+
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - audit_rules_dac_modification_umount2
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit umount2 tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - audit_rules_dac_modification_umount2
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for umount2 for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - umount2
+ syscall_grouping: []
+
+ - name: Check existence of umount2 in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - umount2
+ syscall_grouping: []
+
+ - name: Check existence of umount2 in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - audit_rules_dac_modification_umount2
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for umount2 for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - umount2
+ syscall_grouping: []
+
+ - name: Check existence of umount2 in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
+ set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - umount2
+ syscall_grouping: []
+
+ - name: Check existence of umount2 in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=perm_mod
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - audit_rules_dac_modification_umount2
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+
+ Record Execution Attempts to Run ACL Privileged Commands
+ At a minimum, the audit system should collect the execution of
+ACL privileged commands for all users and root.
+
+
+ Record Execution Attempts to Run SELinux Privileged Commands
+ At a minimum, the audit system should collect the execution of
+SELinux privileged commands for all users and root.
+
+
+ Record File Deletion Events by User
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete
+
+ Ensure auditd Collects File Deletion Events by User - rename
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-000366
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.4
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.1.1
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.MA-2
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.2.7
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000467-GPOS-00211
+ SRG-OS-000468-GPOS-00212
+ SRG-OS-000466-VMM-001870
+ SRG-OS-000468-VMM-001890
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="rename"
+ KEY="delete"
+ SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_rename
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit rename tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_rename
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for rename for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - rename
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of rename in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
+ set_fact: audit_file="/etc/audit/rules.d/delete.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - rename
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of rename in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_rename
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for rename for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - rename
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of rename in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
+ set_fact: audit_file="/etc/audit/rules.d/delete.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - rename
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of rename in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_rename
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Ensure auditd Collects File Deletion Events by User - renameat
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-000366
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.4
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.1.1
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.MA-2
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.2.7
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000467-GPOS-00211
+ SRG-OS-000468-GPOS-00212
+ SRG-OS-000466-VMM-001870
+ SRG-OS-000468-VMM-001890
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="renameat"
+ KEY="delete"
+ SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_renameat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit renameat tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_renameat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for renameat for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - renameat
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of renameat in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
+ set_fact: audit_file="/etc/audit/rules.d/delete.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - renameat
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of renameat in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_renameat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for renameat for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - renameat
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of renameat in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
+ set_fact: audit_file="/etc/audit/rules.d/delete.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - renameat
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of renameat in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_renameat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Ensure auditd Collects File Deletion Events by User - rmdir
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-000366
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.4
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.1.1
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.MA-2
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.2.7
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000467-GPOS-00211
+ SRG-OS-000468-GPOS-00212
+ SRG-OS-000466-VMM-001870
+ SRG-OS-000468-VMM-001890
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="rmdir"
+ KEY="delete"
+ SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_rmdir
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit rmdir tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_rmdir
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for rmdir for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - rmdir
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of rmdir in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
+ set_fact: audit_file="/etc/audit/rules.d/delete.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - rmdir
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of rmdir in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_rmdir
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for rmdir for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - rmdir
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of rmdir in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
+ set_fact: audit_file="/etc/audit/rules.d/delete.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - rmdir
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of rmdir in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_rmdir
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Ensure auditd Collects File Deletion Events by User - unlink
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-000366
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.4
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.1.1
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.MA-2
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.2.7
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000467-GPOS-00211
+ SRG-OS-000468-GPOS-00212
+ SRG-OS-000466-VMM-001870
+ SRG-OS-000468-VMM-001890
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="unlink"
+ KEY="delete"
+ SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_unlink
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit unlink tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_unlink
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for unlink for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - unlink
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of unlink in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
+ set_fact: audit_file="/etc/audit/rules.d/delete.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - unlink
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of unlink in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_unlink
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for unlink for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - unlink
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of unlink in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
+ set_fact: audit_file="/etc/audit/rules.d/delete.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - unlink
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of unlink in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_unlink
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Ensure auditd Collects File Deletion Events by User - unlinkat
+ At a minimum, the audit system should collect file deletion events
+for all users and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
+appropriate for your system:
+-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-000130
+ CCI-000135
+ CCI-000169
+ CCI-000172
+ CCI-000366
+ CCI-002884
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.4
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.1.1
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.MA-2
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.2.7
+ SRG-OS-000037-GPOS-00015
+ SRG-OS-000042-GPOS-00020
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000392-GPOS-00172
+ SRG-OS-000462-GPOS-00206
+ SRG-OS-000471-GPOS-00215
+ SRG-OS-000466-GPOS-00210
+ SRG-OS-000467-GPOS-00211
+ SRG-OS-000468-GPOS-00212
+ SRG-OS-000466-VMM-001870
+ SRG-OS-000468-VMM-001890
+ Auditing file deletions will create an audit trail for files that are removed
+from the system. The audit trail could aid in system troubleshooting, as well as, detecting
+malicious processes that attempt to delete log files to conceal their presence.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS=""
+ AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+ SYSCALL="unlinkat"
+ KEY="delete"
+ SYSCALL_GROUPING="unlink unlinkat rename renameat rmdir"
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_unlinkat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Set architecture for audit unlinkat tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_unlinkat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for unlinkat for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - unlinkat
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of unlinkat in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
+ set_fact: audit_file="/etc/audit/rules.d/delete.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - unlinkat
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of unlinkat in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_unlinkat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for unlinkat for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - unlinkat
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of unlinkat in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules
+ set_fact: audit_file="/etc/audit/rules.d/delete.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - unlinkat
+ syscall_grouping:
+ - unlink
+ - unlinkat
+ - rename
+ - renameat
+ - rmdir
+
+ - name: Check existence of unlinkat in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
+ -F auid!=unset -F key=delete
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.2.7
+ - audit_rules_file_deletion_events_unlinkat
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+
+ Record Unauthorized Access Attempts Events to Files (unsuccessful)
+ At a minimum, the audit system should collect unauthorized file
+accesses for all users and root. Note that the "-F arch=b32" lines should be
+present even on a 64 bit system. These commands identify system calls for
+auditing. Even if the system is 64 bit it can still execute 32 bit system
+calls. Additionally, these rules can be configured in a number of ways while
+still achieving the desired effect. An example of this is that the "-S" calls
+could be split up and placed on separate lines, however, this is less efficient.
+Add the following to /etc/audit/audit.rules:
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+ -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+If your system is 64 bit then these lines should be duplicated and the
+arch=b32 replaced with arch=b64 as follows:
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
+ -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
+
+
+ Record Information on Kernel Modules Loading and Unloading
+ To capture kernel module loading and unloading events, use following lines, setting ARCH to
+either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
+
+-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
+
+
+Place to add the lines depends on a way auditd daemon is configured. If it is configured
+to use the augenrules program (the default), add the lines to a file with suffix
+.rules in the directory /etc/audit/rules.d.
+
+If the auditd daemon is configured to use the auditctl utility,
+add the lines to file /etc/audit/audit.rules.
+
+
+ Record Attempts to Alter Logon and Logout Events
+ The audit system already collects login information for all users
+and root. If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix .rules in the
+directory /etc/audit/rules.d in order to watch for attempted manual
+edits of files involved in storing logon events:
+-w /var/log/tallylog -p wa -k logins
+-w /var/run/faillock -p wa -k logins
+-w /var/log/lastlog -p wa -k logins
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following lines to
+/etc/audit/audit.rules file in order to watch for unattempted manual
+edits of files involved in storing logon events:
+-w /var/log/tallylog -p wa -k logins
+-w /var/run/faillock -p wa -k logins
+-w /var/log/lastlog -p wa -k logins
+
+
+ Record Information on the Use of Privileged Commands
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root.
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - init
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/sbin/init -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/sbin/init -F auid>=1000 -F auid!=unset -F key=privileged
+ CCI-000172
+ AU-12(c)
+ SRG-OS-000477-GPOS-00222
+ Misuse of the init command may cause availability issues for the system.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+ACTION_ARCH_FILTERS="-a always,exit"
+OTHER_FILTERS="-F path=/usr/sbin/init"
+AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+SYSCALL=""
+KEY="privileged"
+SYSCALL_GROUPING=""
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-53-AU-12(c)
+ - audit_privileged_commands_init
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for /usr/sbin/init
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls: []
+ syscall_grouping: []
+
+ - name: Check existence of in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+ path=/usr/sbin/init -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
+ set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/init -F auid>=1000
+ -F auid!=unset (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/init -F auid>=1000
+ -F auid!=unset -F key=privileged
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls: []
+ syscall_grouping: []
+
+ - name: Check existence of in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+ path=/usr/sbin/init -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
+ -S |,)\w+)+)( -F path=/usr/sbin/init -F auid>=1000 -F auid!=unset (?:-k |-F
+ key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/init -F auid>=1000
+ -F auid!=unset -F key=privileged
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AU-12(c)
+ - audit_privileged_commands_init
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged
+ CCI-000172
+ AU-12(c)
+ SRG-OS-000477-GPOS-00222
+ Misuse of the poweroff command may cause availability issues for the system.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+ACTION_ARCH_FILTERS="-a always,exit"
+OTHER_FILTERS="-F path=/usr/sbin/poweroff"
+AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+SYSCALL=""
+KEY="privileged"
+SYSCALL_GROUPING=""
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-53-AU-12(c)
+ - audit_privileged_commands_poweroff
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for /usr/sbin/poweroff
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls: []
+ syscall_grouping: []
+
+ - name: Check existence of in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+ path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
+ set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/poweroff -F auid>=1000
+ -F auid!=unset (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/poweroff -F
+ auid>=1000 -F auid!=unset -F key=privileged
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls: []
+ syscall_grouping: []
+
+ - name: Check existence of in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+ path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
+ -S |,)\w+)+)( -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/poweroff -F
+ auid>=1000 -F auid!=unset -F key=privileged
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AU-12(c)
+ - audit_privileged_commands_poweroff
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - reboot
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged
+ CCI-000172
+ AU-12(c)
+ SRG-OS-000477-GPOS-00222
+ Misuse of the reboot command may cause availability issues for the system.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+ACTION_ARCH_FILTERS="-a always,exit"
+OTHER_FILTERS="-F path=/usr/sbin/reboot"
+AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+SYSCALL=""
+KEY="privileged"
+SYSCALL_GROUPING=""
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-53-AU-12(c)
+ - audit_privileged_commands_reboot
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for /usr/sbin/reboot
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls: []
+ syscall_grouping: []
+
+ - name: Check existence of in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+ path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
+ set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/reboot -F auid>=1000
+ -F auid!=unset (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/reboot -F auid>=1000
+ -F auid!=unset -F key=privileged
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls: []
+ syscall_grouping: []
+
+ - name: Check existence of in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+ path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
+ -S |,)\w+)+)( -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/reboot -F auid>=1000
+ -F auid!=unset -F key=privileged
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AU-12(c)
+ - audit_privileged_commands_reboot
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Ensure auditd Collects Information on the Use of Privileged Commands - shutdown
+ At a minimum, the audit system should collect the execution of
+privileged commands for all users and root. If the auditd daemon is
+configured to use the augenrules program to read audit rules during
+daemon startup (the default), add a line of the following form to a file with
+suffix .rules in the directory /etc/audit/rules.d:
+-a always,exit -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules:
+-a always,exit -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset -F key=privileged
+ CCI-000172
+ AU-12(c)
+ SRG-OS-000477-GPOS-00222
+ Misuse of the shutdown command may cause availability issues for the system.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+ACTION_ARCH_FILTERS="-a always,exit"
+OTHER_FILTERS="-F path=/usr/sbin/shutdown"
+AUID_FILTERS="-F auid>=1000 -F auid!=unset"
+SYSCALL=""
+KEY="privileged"
+SYSCALL_GROUPING=""
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-53-AU-12(c)
+ - audit_privileged_commands_shutdown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for /usr/sbin/shutdown
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls: []
+ syscall_grouping: []
+
+ - name: Check existence of in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+ path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
+ set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/shutdown -F auid>=1000
+ -F auid!=unset (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/shutdown -F
+ auid>=1000 -F auid!=unset -F key=privileged
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls: []
+ syscall_grouping: []
+
+ - name: Check existence of in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
+ path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
+ -S |,)\w+)+)( -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset (?:-k
+ |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/shutdown -F
+ auid>=1000 -F auid!=unset -F key=privileged
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AU-12(c)
+ - audit_privileged_commands_shutdown
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Ensure auditd Collects Information on the Use of Privileged Commands
+ The audit system should collect information about usage of privileged
+commands for all users and root. To find the relevant setuid /
+setgid programs, run the following command for each local partition
+PART:
+$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
+If the auditd daemon is configured to use the augenrules
+program to read audit rules during daemon startup (the default), add a line of
+the following form to a file with suffix .rules in the directory
+/etc/audit/rules.d for each setuid / setgid program on the system,
+replacing the SETUID_PROG_PATH part with the full path of that setuid /
+setgid program in the list:
+-a always,exit -F path=SETUID_PROG_PATH -F auid>=1000 -F auid!=unset -F key=privileged
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add a line of the following
+form to /etc/audit/audit.rules for each setuid / setgid program on the
+system, replacing the SETUID_PROG_PATH part with the full path of that
+setuid / setgid program in the list:
+-a always,exit -F path=SETUID_PROG_PATH -F auid>=1000 -F auid!=unset -F key=privileged
+ This rule checks for multiple syscalls related to privileged commands;
+it was written with DISA STIG in mind. Other policies should use a
+separate rule for each syscall that needs to be checked. For example:
+audit_rules_privileged_commands_suaudit_rules_privileged_commands_umountaudit_rules_privileged_commands_passwd
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO08.04
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.05
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-002234
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.5
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.3.4.5.9
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 3.9
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ 0582
+ 0584
+ 05885
+ 0586
+ 0846
+ 0957
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.1
+ A.16.1.2
+ A.16.1.3
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.1.3
+ A.6.2.1
+ A.6.2.2
+ CIP-004-6 R2.2.2
+ CIP-004-6 R2.2.3
+ CIP-007-3 R.1.3
+ CIP-007-3 R5
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.3
+ CIP-007-3 R5.2.1
+ CIP-007-3 R5.2.3
+ AC-2(4)
+ AU-2(d)
+ AU-12(c)
+ AC-6(9)
+ CM-6(a)
+ DE.AE-2
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ DE.DP-4
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ RS.CO-2
+ Req-10.2.2
+ SRG-OS-000327-GPOS-00127
+ SRG-OS-000471-VMM-001910
+ Misuse of privileged functions, either intentionally or unintentionally by
+authorized users, or by unauthorized external entities that have compromised system accounts,
+is a serious and ongoing concern and can have significant adverse impacts on organizations.
+Auditing the use of privileged functions is one way to detect such misuse and identify
+the risk from insider and advanced persistent threats.
+
+Privileged programs are subject to escalation-of-privilege attacks,
+which attempt to subvert their normal role of providing some necessary but
+limited capability. As such, motivation exists to monitor these programs for
+unusual activity.
+
+
+
+
+
+
+
+
+
+ Records Events that Modify Date and Time Information
+ Arbitrary changes to the system time can be used to obfuscate
+nefarious activities in log files, as well as to confuse network services that
+are highly dependent upon an accurate system time. All changes to the system
+time should be audited.
+
+ Record attempts to alter time through adjtimex
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
+The -k option allows for the specification of a key in string form that can be
+used for better reporting capability through ausearch and aureport. Multiple
+system calls can be defined on the same line to save space if desired, but is
+not required. See an example of multiple combined syscalls:
+-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-001487
+ CCI-000169
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ AC-6(9)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ Req-10.4.2.b
+ Arbitrary changes to the system time can be used to obfuscate
+nefarious activities in log files, as well as to confuse network services that
+are highly dependent upon an accurate system time (such as sshd). All changes
+to the system time should be audited.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ # Create expected audit group and audit rule form for particular system call & architecture
+ if [ ${ARCH} = "b32" ]
+ then
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
+ # so append it to the list of time group system calls to be audited
+ SYSCALL="adjtimex settimeofday stime"
+ SYSCALL_GROUPING="adjtimex settimeofday stime"
+ elif [ ${ARCH} = "b64" ]
+ then
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
+ # therefore don't add it to the list of time group system calls to be audited
+ SYSCALL="adjtimex settimeofday"
+ SYSCALL_GROUPING="adjtimex settimeofday"
+ fi
+ OTHER_FILTERS=""
+ AUID_FILTERS=""
+ KEY="audit_time_rules"
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+ unset syscall_grouping
+ unset syscall_string
+ unset syscall
+ unset file_to_edit
+ unset rule_to_edit
+ unset rule_syscalls_to_edit
+ unset other_string
+ unset auid_string
+ unset full_rule
+
+ # Load macro arguments into arrays
+ read -a syscall_a <<< $SYSCALL
+ read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+ # Create a list of audit *.rules files that should be inspected for presence and correctness
+ # of a particular audit rule. The scheme is as follows:
+ #
+ # -----------------------------------------------------------------------------------------
+ # Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+ # -----------------------------------------------------------------------------------------
+ # auditctl | Doesn't matter | /etc/audit/audit.rules |
+ # -----------------------------------------------------------------------------------------
+ # augenrules | Yes | /etc/audit/rules.d/*.rules |
+ # augenrules | No | /etc/audit/rules.d/$key.rules |
+ # -----------------------------------------------------------------------------------------
+ #
+ files_to_inspect=()
+
+
+ # If audit tool is 'augenrules', then check if the audit rule is defined
+ # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+ # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+ default_file="/etc/audit/rules.d/$KEY.rules"
+ # As other_filters may include paths, lets use a different delimiter for it
+ # The "F" script expression tells sed to print the filenames where the expressions matched
+ readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+ # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+ if [ ${#files_to_inspect[@]} -eq "0" ]
+ then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+ fi
+
+ # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+ skip=1
+
+ for audit_file in "${files_to_inspect[@]}"
+ do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+ done
+
+ if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+ fi
+ unset syscall_a
+ unset syscall_grouping
+ unset syscall_string
+ unset syscall
+ unset file_to_edit
+ unset rule_to_edit
+ unset rule_syscalls_to_edit
+ unset other_string
+ unset auid_string
+ unset full_rule
+
+ # Load macro arguments into arrays
+ read -a syscall_a <<< $SYSCALL
+ read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+ # Create a list of audit *.rules files that should be inspected for presence and correctness
+ # of a particular audit rule. The scheme is as follows:
+ #
+ # -----------------------------------------------------------------------------------------
+ # Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+ # -----------------------------------------------------------------------------------------
+ # auditctl | Doesn't matter | /etc/audit/audit.rules |
+ # -----------------------------------------------------------------------------------------
+ # augenrules | Yes | /etc/audit/rules.d/*.rules |
+ # augenrules | No | /etc/audit/rules.d/$key.rules |
+ # -----------------------------------------------------------------------------------------
+ #
+ files_to_inspect=()
+
+
+
+ # If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+ # file to the list of files to be inspected
+ default_file="/etc/audit/audit.rules"
+ files_to_inspect+=('/etc/audit/audit.rules' )
+
+ # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+ skip=1
+
+ for audit_file in "${files_to_inspect[@]}"
+ do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+ done
+
+ if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+ fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_adjtimex
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Set architecture for audit tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_adjtimex
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for adjtimex for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - adjtimex
+ syscall_grouping:
+ - adjtimex
+ - settimeofday
+ - stime
+
+ - name: Check existence of adjtimex in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
+ set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - adjtimex
+ syscall_grouping:
+ - adjtimex
+ - settimeofday
+ - stime
+
+ - name: Check existence of adjtimex in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_adjtimex
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for adjtimex for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - adjtimex
+ syscall_grouping:
+ - adjtimex
+ - settimeofday
+
+ - name: Check existence of adjtimex in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
+ set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - adjtimex
+ syscall_grouping:
+ - adjtimex
+ - settimeofday
+ - stime
+
+ - name: Check existence of adjtimex in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_adjtimex
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Attempts to Alter Time Through clock_settime
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
+The -k option allows for the specification of a key in string form that can
+be used for better reporting capability through ausearch and aureport.
+Multiple system calls can be defined on the same line to save space if
+desired, but is not required. See an example of multiple combined syscalls:
+-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-001487
+ CCI-000169
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ AC-6(9)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ Req-10.4.2.b
+ Arbitrary changes to the system time can be used to obfuscate
+nefarious activities in log files, as well as to confuse network services that
+are highly dependent upon an accurate system time (such as sshd). All changes
+to the system time should be audited.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# First perform the remediation of the syscall rule
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ OTHER_FILTERS="-F a0=0x0"
+ AUID_FILTERS=""
+ SYSCALL="clock_settime"
+ KEY="time-change"
+ SYSCALL_GROUPING=""
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+# If audit tool is 'augenrules', then check if the audit rule is defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+default_file="/etc/audit/rules.d/$KEY.rules"
+# As other_filters may include paths, lets use a different delimiter for it
+# The "F" script expression tells sed to print the filenames where the expressions matched
+readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+if [ ${#files_to_inspect[@]} -eq "0" ]
+then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+fi
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+ unset syscall_a
+unset syscall_grouping
+unset syscall_string
+unset syscall
+unset file_to_edit
+unset rule_to_edit
+unset rule_syscalls_to_edit
+unset other_string
+unset auid_string
+unset full_rule
+
+# Load macro arguments into arrays
+read -a syscall_a <<< $SYSCALL
+read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+#
+files_to_inspect=()
+
+
+
+# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# file to the list of files to be inspected
+default_file="/etc/audit/audit.rules"
+files_to_inspect+=('/etc/audit/audit.rules' )
+
+# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+skip=1
+
+for audit_file in "${files_to_inspect[@]}"
+do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+done
+
+if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_clock_settime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Set architecture for audit tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_clock_settime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for clock_settime for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - clock_settime
+ syscall_grouping: []
+
+ - name: Check existence of clock_settime in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules
+ set_fact: audit_file="/etc/audit/rules.d/time-change.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F
+ key=time-change
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - clock_settime
+ syscall_grouping: []
+
+ - name: Check existence of clock_settime in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F
+ key=time-change
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_clock_settime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for clock_settime for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - clock_settime
+ syscall_grouping: []
+
+ - name: Check existence of clock_settime in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules
+ set_fact: audit_file="/etc/audit/rules.d/time-change.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F
+ key=time-change
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - clock_settime
+ syscall_grouping: []
+
+ - name: Check existence of clock_settime in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F
+ key=time-change
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_clock_settime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record attempts to alter time through settimeofday
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d:
+-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
+If the system is 64 bit then also add the following line:
+-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
+The -k option allows for the specification of a key in string form that can be
+used for better reporting capability through ausearch and aureport. Multiple
+system calls can be defined on the same line to save space if desired, but is
+not required. See an example of multiple combined syscalls:
+-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-001487
+ CCI-000169
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ AC-6(9)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ Req-10.4.2.b
+ Arbitrary changes to the system time can be used to obfuscate
+nefarious activities in log files, as well as to confuse network services that
+are highly dependent upon an accurate system time (such as sshd). All changes
+to the system time should be audited.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ # Create expected audit group and audit rule form for particular system call & architecture
+ if [ ${ARCH} = "b32" ]
+ then
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
+ # so append it to the list of time group system calls to be audited
+ SYSCALL="adjtimex settimeofday stime"
+ SYSCALL_GROUPING="adjtimex settimeofday stime"
+ elif [ ${ARCH} = "b64" ]
+ then
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
+ # therefore don't add it to the list of time group system calls to be audited
+ SYSCALL="adjtimex settimeofday"
+ SYSCALL_GROUPING="adjtimex settimeofday"
+ fi
+ OTHER_FILTERS=""
+ AUID_FILTERS=""
+ KEY="audit_time_rules"
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+ unset syscall_grouping
+ unset syscall_string
+ unset syscall
+ unset file_to_edit
+ unset rule_to_edit
+ unset rule_syscalls_to_edit
+ unset other_string
+ unset auid_string
+ unset full_rule
+
+ # Load macro arguments into arrays
+ read -a syscall_a <<< $SYSCALL
+ read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+ # Create a list of audit *.rules files that should be inspected for presence and correctness
+ # of a particular audit rule. The scheme is as follows:
+ #
+ # -----------------------------------------------------------------------------------------
+ # Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+ # -----------------------------------------------------------------------------------------
+ # auditctl | Doesn't matter | /etc/audit/audit.rules |
+ # -----------------------------------------------------------------------------------------
+ # augenrules | Yes | /etc/audit/rules.d/*.rules |
+ # augenrules | No | /etc/audit/rules.d/$key.rules |
+ # -----------------------------------------------------------------------------------------
+ #
+ files_to_inspect=()
+
+
+ # If audit tool is 'augenrules', then check if the audit rule is defined
+ # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+ # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+ default_file="/etc/audit/rules.d/$KEY.rules"
+ # As other_filters may include paths, lets use a different delimiter for it
+ # The "F" script expression tells sed to print the filenames where the expressions matched
+ readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+ # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+ if [ ${#files_to_inspect[@]} -eq "0" ]
+ then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+ fi
+
+ # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+ skip=1
+
+ for audit_file in "${files_to_inspect[@]}"
+ do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+ done
+
+ if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+ fi
+ unset syscall_a
+ unset syscall_grouping
+ unset syscall_string
+ unset syscall
+ unset file_to_edit
+ unset rule_to_edit
+ unset rule_syscalls_to_edit
+ unset other_string
+ unset auid_string
+ unset full_rule
+
+ # Load macro arguments into arrays
+ read -a syscall_a <<< $SYSCALL
+ read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+ # Create a list of audit *.rules files that should be inspected for presence and correctness
+ # of a particular audit rule. The scheme is as follows:
+ #
+ # -----------------------------------------------------------------------------------------
+ # Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+ # -----------------------------------------------------------------------------------------
+ # auditctl | Doesn't matter | /etc/audit/audit.rules |
+ # -----------------------------------------------------------------------------------------
+ # augenrules | Yes | /etc/audit/rules.d/*.rules |
+ # augenrules | No | /etc/audit/rules.d/$key.rules |
+ # -----------------------------------------------------------------------------------------
+ #
+ files_to_inspect=()
+
+
+
+ # If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+ # file to the list of files to be inspected
+ default_file="/etc/audit/audit.rules"
+ files_to_inspect+=('/etc/audit/audit.rules' )
+
+ # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+ skip=1
+
+ for audit_file in "${files_to_inspect[@]}"
+ do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+ done
+
+ if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+ fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_settimeofday
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Set architecture for audit tasks
+ set_fact:
+ audit_arch: b64
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
+ == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_settimeofday
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for settimeofday for 32bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - settimeofday
+ syscall_grouping:
+ - adjtimex
+ - settimeofday
+ - stime
+
+ - name: Check existence of settimeofday in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
+ set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - settimeofday
+ syscall_grouping:
+ - adjtimex
+ - settimeofday
+ - stime
+
+ - name: Check existence of settimeofday in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_settimeofday
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for settimeofday for 64bit platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - settimeofday
+ syscall_grouping:
+ - adjtimex
+ - settimeofday
+ - stime
+
+ - name: Check existence of settimeofday in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
+ set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - settimeofday
+ syscall_grouping:
+ - adjtimex
+ - settimeofday
+ - stime
+
+ - name: Check existence of settimeofday in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - audit_arch == "b64"
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_settimeofday
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Attempts to Alter Time Through stime
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the
+default), add the following line to a file with suffix .rules in the
+directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
+-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
+Since the 64 bit version of the "stime" system call is not defined in the audit
+lookup table, the corresponding "-F arch=b64" form of this rule is not expected
+to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
+form itself is sufficient for both 32 bit and 64 bit systems). If the
+auditd daemon is configured to use the auditctl utility to
+read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file for both 32 bit and 64 bit systems:
+-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
+Since the 64 bit version of the "stime" system call is not defined in the audit
+lookup table, the corresponding "-F arch=b64" form of this rule is not expected
+to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
+form itself is sufficient for both 32 bit and 64 bit systems). The -k option
+allows for the specification of a key in string form that can be used for
+better reporting capability through ausearch and aureport. Multiple system
+calls can be defined on the same line to save space if desired, but is not
+required. See an example of multiple combined system calls:
+-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-001487
+ CCI-000169
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ AC-6(9)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ Req-10.4.2.b
+ Arbitrary changes to the system time can be used to obfuscate
+nefarious activities in log files, as well as to confuse network services that
+are highly dependent upon an accurate system time (such as sshd). All changes
+to the system time should be audited.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# Retrieve hardware architecture of the underlying system
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
+
+for ARCH in "${RULE_ARCHS[@]}"
+do
+ # Create expected audit group and audit rule form for particular system call & architecture
+ if [ ${ARCH} = "b32" ]
+ then
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
+ # so append it to the list of time group system calls to be audited
+ SYSCALL="adjtimex settimeofday stime"
+ SYSCALL_GROUPING="adjtimex settimeofday stime"
+ elif [ ${ARCH} = "b64" ]
+ then
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
+ # therefore don't add it to the list of time group system calls to be audited
+ SYSCALL="adjtimex settimeofday"
+ SYSCALL_GROUPING="adjtimex settimeofday"
+ fi
+ OTHER_FILTERS=""
+ AUID_FILTERS=""
+ KEY="audit_time_rules"
+ # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+ unset syscall_a
+ unset syscall_grouping
+ unset syscall_string
+ unset syscall
+ unset file_to_edit
+ unset rule_to_edit
+ unset rule_syscalls_to_edit
+ unset other_string
+ unset auid_string
+ unset full_rule
+
+ # Load macro arguments into arrays
+ read -a syscall_a <<< $SYSCALL
+ read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+ # Create a list of audit *.rules files that should be inspected for presence and correctness
+ # of a particular audit rule. The scheme is as follows:
+ #
+ # -----------------------------------------------------------------------------------------
+ # Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+ # -----------------------------------------------------------------------------------------
+ # auditctl | Doesn't matter | /etc/audit/audit.rules |
+ # -----------------------------------------------------------------------------------------
+ # augenrules | Yes | /etc/audit/rules.d/*.rules |
+ # augenrules | No | /etc/audit/rules.d/$key.rules |
+ # -----------------------------------------------------------------------------------------
+ #
+ files_to_inspect=()
+
+
+ # If audit tool is 'augenrules', then check if the audit rule is defined
+ # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
+ # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
+ default_file="/etc/audit/rules.d/$KEY.rules"
+ # As other_filters may include paths, lets use a different delimiter for it
+ # The "F" script expression tells sed to print the filenames where the expressions matched
+ readarray -t files_to_inspect < <(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
+ # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
+ if [ ${#files_to_inspect[@]} -eq "0" ]
+ then
+ file_to_inspect="/etc/audit/rules.d/$KEY.rules"
+ files_to_inspect=("$file_to_inspect")
+ if [ ! -e "$file_to_inspect" ]
+ then
+ touch "$file_to_inspect"
+ chmod 0640 "$file_to_inspect"
+ fi
+ fi
+
+ # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+ skip=1
+
+ for audit_file in "${files_to_inspect[@]}"
+ do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+ done
+
+ if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+ fi
+ unset syscall_a
+ unset syscall_grouping
+ unset syscall_string
+ unset syscall
+ unset file_to_edit
+ unset rule_to_edit
+ unset rule_syscalls_to_edit
+ unset other_string
+ unset auid_string
+ unset full_rule
+
+ # Load macro arguments into arrays
+ read -a syscall_a <<< $SYSCALL
+ read -a syscall_grouping <<< $SYSCALL_GROUPING
+
+ # Create a list of audit *.rules files that should be inspected for presence and correctness
+ # of a particular audit rule. The scheme is as follows:
+ #
+ # -----------------------------------------------------------------------------------------
+ # Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+ # -----------------------------------------------------------------------------------------
+ # auditctl | Doesn't matter | /etc/audit/audit.rules |
+ # -----------------------------------------------------------------------------------------
+ # augenrules | Yes | /etc/audit/rules.d/*.rules |
+ # augenrules | No | /etc/audit/rules.d/$key.rules |
+ # -----------------------------------------------------------------------------------------
+ #
+ files_to_inspect=()
+
+
+
+ # If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+ # file to the list of files to be inspected
+ default_file="/etc/audit/audit.rules"
+ files_to_inspect+=('/etc/audit/audit.rules' )
+
+ # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
+ skip=1
+
+ for audit_file in "${files_to_inspect[@]}"
+ do
+ # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
+ # i.e, collect rules that match:
+ # * the action, list and arch, (2-nd argument)
+ # * the other filters, (3-rd argument)
+ # * the auid filters, (4-rd argument)
+ readarray -t similar_rules < <(sed -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
+
+ candidate_rules=()
+ # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
+ for s_rule in "${similar_rules[@]}"
+ do
+ # Strip all the options and fields we know of,
+ # than check if there was any field left over
+ extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//" -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"<<< "$s_rule")
+ grep -q -- "-F" <<< "$extra_fields" || candidate_rules+=("$s_rule")
+ done
+
+ if [[ ${#syscall_a[@]} -ge 1 ]]
+ then
+ # Check if the syscall we want is present in any of the similar existing rules
+ for rule in "${candidate_rules[@]}"
+ do
+ rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
+ all_syscalls_found=0
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "$rule_syscalls" || {
+ # A syscall was not found in the candidate rule
+ all_syscalls_found=1
+ }
+ done
+ if [[ $all_syscalls_found -eq 0 ]]
+ then
+ # We found a rule with all the syscall(s) we want; skip rest of macro
+ skip=0
+ break
+ fi
+
+ # Check if this rule can be grouped with our target syscall and keep track of it
+ for syscall_g in "${syscall_grouping[@]}"
+ do
+ if grep -q -- "\b${syscall_g}\b" <<< "$rule_syscalls"
+ then
+ file_to_edit=${audit_file}
+ rule_to_edit=${rule}
+ rule_syscalls_to_edit=${rule_syscalls}
+ fi
+ done
+ done
+ else
+ # If there is any candidate rule, it is compliant; skip rest of macro
+ if [ "${#candidate_rules[@]}" -gt 0 ]
+ then
+ skip=0
+ fi
+ fi
+
+ if [ "$skip" -eq 0 ]; then
+ break
+ fi
+ done
+
+ if [ "$skip" -ne 0 ]; then
+ # We checked all rules that matched the expected resemblance pattern (action, arch & auid)
+ # At this point we know if we need to either append the $full_rule or group
+ # the syscall together with an exsiting rule
+
+ # Append the full_rule if it cannot be grouped to any other rule
+ if [ -z ${rule_to_edit+x} ]
+ then
+ # Build full_rule while avoid adding double spaces when other_filters is empty
+ if [ "${#syscall_a[@]}" -gt 0 ]
+ then
+ syscall_string=""
+ for syscall in "${syscall_a[@]}"
+ do
+ syscall_string+=" -S $syscall"
+ done
+ fi
+ other_string=$([[ $OTHER_FILTERS ]] && echo " $OTHER_FILTERS") || /bin/true
+ auid_string=$([[ $AUID_FILTERS ]] && echo " $AUID_FILTERS") || /bin/true
+ full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
+ echo "$full_rule" >> "$default_file"
+ chmod o-rwx ${default_file}
+ else
+ # Check if the syscalls are declared as a comma separated list or
+ # as multiple -S parameters
+ if grep -q -- "," <<< "${rule_syscalls_to_edit}"
+ then
+ delimiter=","
+ else
+ delimiter=" -S "
+ fi
+ new_grouped_syscalls="${rule_syscalls_to_edit}"
+ for syscall in "${syscall_a[@]}"
+ do
+ grep -q -- "\b${syscall}\b" <<< "${rule_syscalls_to_edit}" || {
+ # A syscall was not found in the candidate rule
+ new_grouped_syscalls+="${delimiter}${syscall}"
+ }
+ done
+
+ # Group the syscall in the rule
+ sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
+ fi
+ fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_stime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Perform remediation of Audit rules for stime syscall for x86 platform
+ block:
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - stime
+ syscall_grouping:
+ - adjtimex
+ - settimeofday
+ - stime
+
+ - name: Check existence of stime in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ patterns: '*.rules'
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Reset syscalls found per file
+ set_fact:
+ syscalls_per_file: {}
+ found_paths_dict: {}
+
+ - name: Declare syscalls found per file
+ set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
+ :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
+ loop: '{{ find_command.results | selectattr(''matched'') | list }}'
+
+ - name: Declare files where syscalls were found
+ set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
+ | map(attribute='path') | list }}"
+
+ - name: Count occurrences of syscalls in paths
+ set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
+ 0) }) }}"
+ loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
+ | list }}'
+
+ - name: Get path with most syscalls
+ set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
+ | last).key }}"
+ when: found_paths | length >= 1
+
+ - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
+ set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
+ when: found_paths | length == 0
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
+ | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+
+ - name: Declare list of syscalls
+ set_fact:
+ syscalls:
+ - stime
+ syscall_grouping:
+ - adjtimex
+ - settimeofday
+ - stime
+
+ - name: Check existence of stime in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit
+ contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
+ |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
+ patterns: audit.rules
+ register: find_command
+ loop: '{{ (syscall_grouping + syscalls) | unique }}'
+
+ - name: Set path to /etc/audit/audit.rules
+ set_fact: audit_file="/etc/audit/audit.rules"
+
+ - name: Declare found syscalls
+ set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
+ | list }}"
+
+ - name: Declare missing syscalls
+ set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
+
+ - name: Replace the audit rule in {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
+ join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
+ line: \1\2\3{{ missing_syscalls | join("\3") }}\4
+ backrefs: true
+ state: present
+ when: syscalls_found | length > 0 and missing_syscalls | length > 0
+
+ - name: Add the audit rule to {{ audit_file }}
+ lineinfile:
+ path: '{{ audit_file }}'
+ line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
+ create: true
+ mode: o-rwx
+ state: present
+ when: syscalls_found | length == 0
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_stime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Record Attempts to Alter the localtime File
+ If the auditd daemon is configured to use the
+augenrules program to read audit rules during daemon startup (the default),
+add the following line to a file with suffix .rules in the directory
+/etc/audit/rules.d:
+-w /etc/localtime -p wa -k audit_time_rules
+If the auditd daemon is configured to use the auditctl
+utility to read audit rules during daemon startup, add the following line to
+/etc/audit/audit.rules file:
+-w /etc/localtime -p wa -k audit_time_rules
+The -k option allows for the specification of a key in string form that can
+be used for better reporting capability through ausearch and aureport and
+should always be used.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 5.4.1.1
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI08.02
+ DSS01.03
+ DSS01.04
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS03.05
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ 3.1.7
+ CCI-001487
+ CCI-000169
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)(ii)(A)
+ 164.308(a)(5)(ii)(C)
+ 164.312(a)(2)(i)
+ 164.312(b)
+ 164.312(d)
+ 164.312(e)
+ 4.2.3.10
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.3.6.6
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 1.13
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.6
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.6.2.1
+ A.6.2.2
+ AU-2(d)
+ AU-12(c)
+ AC-6(9)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.AC-3
+ PR.PT-1
+ PR.PT-4
+ RS.AN-1
+ RS.AN-4
+ Req-10.4.2.b
+ Arbitrary changes to the system time can be used to obfuscate
+nefarious activities in log files, as well as to confuse network services that
+are highly dependent upon an accurate system time (such as sshd). All changes
+to the system time should be audited.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+
+# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
+# into the list of files to be inspected
+files_to_inspect+=('/etc/audit/audit.rules')
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/localtime$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/localtime -p wa -k audit_time_rules" >> "$audit_rules_file"
+ fi
+done
+# Create a list of audit *.rules files that should be inspected for presence and correctness
+# of a particular audit rule. The scheme is as follows:
+#
+# -----------------------------------------------------------------------------------------
+# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |
+# -----------------------------------------------------------------------------------------
+# auditctl | Doesn't matter | /etc/audit/audit.rules |
+# -----------------------------------------------------------------------------------------
+# augenrules | Yes | /etc/audit/rules.d/*.rules |
+# augenrules | No | /etc/audit/rules.d/$key.rules |
+# -----------------------------------------------------------------------------------------
+files_to_inspect=()
+
+# If the audit is 'augenrules', then check if rule is already defined
+# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
+# If rule isn't defined, add '/etc/audit/rules.d/audit_time_rules.rules' to list of files for inspection.
+readarray -t matches < <(grep -HP "[\s]*-w[\s]+/etc/localtime" /etc/audit/rules.d/*.rules)
+
+# For each of the matched entries
+for match in "${matches[@]}"
+do
+ # Extract filepath from the match
+ rulesd_audit_file=$(echo $match | cut -f1 -d ':')
+ # Append that path into list of files for inspection
+ files_to_inspect+=("$rulesd_audit_file")
+done
+# Case when particular audit rule isn't defined yet
+if [ "${#files_to_inspect[@]}" -eq "0" ]
+then
+ # Append '/etc/audit/rules.d/audit_time_rules.rules' into list of files for inspection
+ key_rule_file="/etc/audit/rules.d/audit_time_rules.rules"
+ # If the audit_time_rules.rules file doesn't exist yet, create it with correct permissions
+ if [ ! -e "$key_rule_file" ]
+ then
+ touch "$key_rule_file"
+ chmod 0640 "$key_rule_file"
+ fi
+ files_to_inspect+=("$key_rule_file")
+fi
+
+# Finally perform the inspection and possible subsequent audit rule
+# correction for each of the files previously identified for inspection
+for audit_rules_file in "${files_to_inspect[@]}"
+do
+ # Check if audit watch file system object rule for given path already present
+ if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file"
+ then
+ # Rule is found => verify yet if existing rule definition contains
+ # all of the required access type bits
+
+ # Define BRE whitespace class shortcut
+ sp="[[:space:]]"
+ # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
+ current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
+ # Split required access bits string into characters array
+ # (to check bit's presence for one bit at a time)
+ for access_bit in $(echo "wa" | grep -o .)
+ do
+ # For each from the required access bits (e.g. 'w', 'a') check
+ # if they are already present in current access bits for rule.
+ # If not, append that bit at the end
+ if ! grep -q "$access_bit" <<< "$current_access_bits"
+ then
+ # Concatenate the existing mask with the missing bit
+ current_access_bits="$current_access_bits$access_bit"
+ fi
+ done
+ # Propagate the updated rule's access bits (original + the required
+ # ones) back into the /etc/audit/audit.rules file for that rule
+ sed -i "s#\($sp*-w$sp\+/etc/localtime$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
+ else
+ # Rule isn't present yet. Append it at the end of $audit_rules_file file
+ # with proper key
+
+ echo "-w /etc/localtime -p wa -k audit_time_rules" >> "$audit_rules_file"
+ fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_watch_localtime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/
+ find:
+ paths: /etc/audit/rules.d
+ contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+
+ patterns: '*.rules'
+ register: find_existing_watch_rules_d
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_watch_localtime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules
+ find:
+ paths: /etc/audit/rules.d
+ contains: ^.*(?:-F key=|-k\s+)audit_time_rules$
+ patterns: '*.rules'
+ register: find_watch_key
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
+ == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_watch_localtime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule
+ set_fact:
+ all_files:
+ - /etc/audit/rules.d/audit_time_rules.rules
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
+ is defined and find_existing_watch_rules_d.matched == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_watch_localtime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Use matched file as the recipient for the rule
+ set_fact:
+ all_files:
+ - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched
+ is defined and find_existing_watch_rules_d.matched == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_watch_localtime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/
+ lineinfile:
+ path: '{{ all_files[0] }}'
+ line: -w /etc/localtime -p wa -k audit_time_rules
+ create: true
+ mode: '0640'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
+ == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_watch_localtime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules
+ find:
+ paths: /etc/audit/
+ contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+
+ patterns: audit.rules
+ register: find_existing_watch_audit_rules
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_watch_localtime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules
+ lineinfile:
+ line: -w /etc/localtime -p wa -k audit_time_rules
+ state: present
+ dest: /etc/audit/audit.rules
+ create: true
+ mode: '0640'
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
+ == 0
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.1.7
+ - NIST-800-53-AC-6(9)
+ - NIST-800-53-AU-12(c)
+ - NIST-800-53-AU-2(d)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.2.b
+ - audit_rules_time_watch_localtime
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+
+
+ Configure auditd Data Retention
+ The audit system writes data to /var/log/audit/audit.log. By default,
+auditd rotates 5 logs by size (6MB), retaining a maximum of 30MB of
+data in total, and refuses to write entries when the disk is too
+full. This minimizes the risk of audit data filling its partition
+and impacting other services. This also minimizes the risk of the audit
+daemon temporarily disabling the system if it cannot write audit log (which
+it can be configured to do).
+
+For a busy
+system or a system which is thoroughly auditing system activity, the default settings
+for data retention may be
+ insufficient. The log file size needed will depend heavily on what types
+of events are being audited. First configure auditing to log all the events of
+interest. Then monitor the log size manually for awhile to determine what file
+size will allow you to keep the required data for the correct time period.
+
+Using a dedicated partition for /var/log/audit prevents the
+auditd logs from disrupting system functionality if they fill, and,
+more importantly, prevents other activity in /var from filling the
+partition and stopping the audit trail. (The audit logs are size-limited and
+therefore unlikely to grow without bound unless configured to do so.) Some
+machines may have requirements that no actions occur which cannot be audited.
+If this is the case, then auditd can be configured to halt the machine
+if it runs out of space. Note: Since older logs are rotated,
+configuring auditd this way does not prevent older logs from being
+rotated away before they can be viewed.
+
+If your system is configured to halt when logging cannot be performed, make
+sure this can never happen under normal circumstances! Ensure that
+/var/log/audit is on its own partition, and that this partition is
+larger than the maximum amount of data auditd will retain
+normally.
+
+
+ Action for audispd to take when disk is full
+ The setting for disk_full_action in /etc/audisp/audisp-remote.conf
+ single
+ exec
+ halt
+ single
+ suspend
+ syslog
+ warn_once
+ stop
+
+
+ Action for audispd to take when network fails
+ The setting for network_failure_action in /etc/audisp/audisp-remote.conf
+ single
+ exec
+ halt
+ single
+ suspend
+ syslog
+ warn_once
+ stop
+ ignore
+
+
+ Remote server for audispd to send audit records
+
+The setting for remote_server in /etc/audisp/audisp-remote.conf
+ logcollector
+
+
+ Account for auditd to send email when actions occurs
+ The setting for action_mail_acct in /etc/audit/auditd.conf
+ admin
+ root
+ root
+
+
+ Action for auditd to take when disk space is low
+ The setting for admin_space_left_action in /etc/audit/auditd.conf
+ single
+ email
+ exec
+ halt
+ single
+ suspend
+ syslog
+ rotate
+ ignore
+
+
+ The percentage remaining in disk space before prompting admin_space_left_action
+ The setting for admin_space_left as a percentage in /etc/audit/auditd.conf
+ 5
+ 25
+ 50
+ 75
+ 5
+
+
+ Action for auditd to take when disk errors
+ 'The setting for disk_error_action in /etc/audit/auditd.conf, if multiple
+values are allowed write them separated by pipes as in "syslog|single|halt",
+for remediations the first value will be taken'
+ single
+ exec
+ halt
+ single
+ suspend
+ syslog
+ ignore
+ syslog|single|halt
+ syslog|single|halt
+
+
+ Action for auditd to take when disk is full
+ 'The setting for disk_full_action in /etc/audit/auditd.conf, if multiple
+values are allowed write them separated by pipes as in "syslog|single|halt",
+for remediations the first value will be taken'
+ single
+ exec
+ halt
+ single
+ suspend
+ syslog
+ ignore
+ rotate
+ syslog|single|halt
+ syslog|single|halt
+
+
+ Auditd priority for flushing data to disk
+ The setting for flush in /etc/audit/auditd.conf
+ data
+ data
+ incremental
+ incremental_async
+ none
+ sync
+
+
+ Number of Record to Retain Before Flushing to Disk
+ The setting for freq in /etc/audit/auditd.conf
+ 50
+ 100
+ 50
+
+
+ Maximum audit log file size for auditd
+ The setting for max_log_file in /etc/audit/auditd.conf
+ 1
+ 10
+ 20
+ 5
+ 6
+ 6
+
+
+ Action for auditd to take when log files reach their maximum size
+ The setting for max_log_file_action in /etc/audit/auditd.conf. The following options are available:
+ignore - audit daemon does nothing.
+syslog - audit daemon will issue a warning to syslog.
+suspend - audit daemon will stop writing records to the disk.
+rotate - audit daemon will rotate logs in the same convention used by logrotate.
+keep_logs - similar to rotate but prevents audit logs to be overwritten. May trigger space_left_action if volume is full.
+ rotate
+ keep_logs
+ rotate
+ suspend
+ syslog
+ ignore
+
+
+ Number of log files for auditd to retain
+ The setting for num_logs in /etc/audit/auditd.conf
+ 0
+ 1
+ 2
+ 3
+ 4
+ 5
+ 10
+ 20
+ 50
+ 100
+ 5
+
+
+ Size remaining in disk space before prompting space_left_action
+ The setting for space_left (MB) in /etc/audit/auditd.conf
+ 1000
+ 100
+ 250
+ 500
+ 750
+ 100
+
+
+ Action for auditd to take when disk space just starts to run low
+ The setting for space_left_action in /etc/audit/auditd.conf
+ email
+ email
+ exec
+ halt
+ single
+ suspend
+ syslog
+ rotate
+ ignore
+
+
+ The percentage remaining in disk space before prompting space_left_action
+ The setting for space_left as a percentage in /etc/audit/auditd.conf
+ 25
+ 50
+ 75
+ 25
+
+
+ Configure auditd to use audispd's syslog plugin
+ To configure the auditd service to use the
+syslog plug-in of the audispd audit event multiplexor, set
+the active line in /etc/audit/plugins.d/syslog.conf to yes.
+Restart the auditd service:
+$ sudo service auditd restart
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 5.4.1.1
+ APO11.04
+ APO12.06
+ BAI03.05
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ 3.3.1
+ CCI-000136
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(5)(ii)(B)
+ 164.308(a)(5)(ii)(C)
+ 164.308(a)(6)(ii)
+ 164.308(a)(8)
+ 164.310(d)(2)(iii)
+ 164.312(b)
+ 164.314(a)(2)(i)(C)
+ 164.314(a)(2)(iii)
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ AU-4(1)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ FAU_GEN.1.1.c
+ Req-10.5.3
+ SRG-OS-000479-GPOS-00224
+ SRG-OS-000342-GPOS-00133
+ SRG-OS-000051-VMM-000230
+ SRG-OS-000058-VMM-000270
+ SRG-OS-000059-VMM-000280
+ SRG-OS-000479-VMM-001990
+ SRG-OS-000479-VMM-001990
+ The auditd service does not include the ability to send audit
+records to a centralized server for management directly. It does, however,
+include a plug-in for audit event multiplexor (audispd) to pass audit records
+to the local syslog server.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+var_syslog_active="yes"
+
+AUDISP_SYSLOGCONFIG=/etc/audit/plugins.d/syslog.conf
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "$AUDISP_SYSLOGCONFIG"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^active")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_syslog_active"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^active\\>" "$AUDISP_SYSLOGCONFIG"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^active\\>.*/$escaped_formatted_output/gi" "$AUDISP_SYSLOGCONFIG"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "$AUDISP_SYSLOGCONFIG"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.3.1
+ - NIST-800-53-AU-4(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.3
+ - auditd_audispd_syslog_plugin_activated
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: enable syslog plugin
+ lineinfile:
+ dest: /etc/audit/plugins.d/syslog.conf
+ regexp: ^active
+ line: active = yes
+ create: true
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.4.1.1
+ - NIST-800-171-3.3.1
+ - NIST-800-53-AU-4(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.5.3
+ - auditd_audispd_syslog_plugin_activated
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Configure auditd Disk Error Action on Disk Error
+ The auditd service can be configured to take an action
+when there is a disk error.
+Edit the file /etc/audit/auditd.conf. Add or modify the following line,
+substituting ACTION appropriately:
+disk_error_action = ACTION
+Set this value to single to cause the system to switch to single-user
+mode for corrective action. Acceptable values also include syslog,
+exec, single, and halt. For certain systems, the need for availability
+outweighs the need to log all actions, and a different setting should be
+determined. Details regarding all possible values for ACTION are described in the
+auditd.conf man page.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI04.04
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-000140
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ SR 7.1
+ SR 7.2
+ A.12.1.3
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.17.2.1
+ AU-5(b)
+ AU-5(2)
+ AU-5(1)
+ AU-5(4)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ PR.DS-4
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ SRG-OS-000047-GPOS-00023
+ Taking appropriate action in case of disk errors will minimize the possibility of
+losing audit records.
+
+
+
+
+
+
+
+
+
+ Configure auditd Disk Error Action on Disk Error
+ The auditd service can be configured to take an action
+when there is a disk error.
+Edit the file /etc/audit/auditd.conf. Add or modify the following line,
+substituting ACTION appropriately:
+disk_error_action = ACTION
+Set this value to single to cause the system to switch to single-user
+mode for corrective action. Acceptable values also include syslog,
+exec, single, and halt. For certain systems, the need for availability
+outweighs the need to log all actions, and a different setting should be
+determined. Details regarding all possible values for ACTION are described in the
+auditd.conf man page.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI04.04
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-000140
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ SR 7.1
+ SR 7.2
+ A.12.1.3
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.17.2.1
+ AU-5(b)
+ AU-5(2)
+ AU-5(1)
+ AU-5(4)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ PR.DS-4
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ SRG-OS-000047-GPOS-00023
+ Taking appropriate action in case of disk errors will minimize the possibility of
+losing audit records.
+
+
+
+
+
+
+
+
+ Configure auditd Disk Full Action when Disk Space Is Full
+ The auditd service can be configured to take an action
+when disk space is running low but prior to running out of space completely.
+Edit the file /etc/audit/auditd.conf. Add or modify the following line,
+substituting ACTION appropriately:
+disk_full_action = ACTION
+Set this value to single to cause the system to switch to single-user
+mode for corrective action. Acceptable values also include syslog,
+
+exec,
+
+single, and halt. For certain systems, the need for availability
+outweighs the need to log all actions, and a different setting should be
+determined. Details regarding all possible values for ACTION are described in the
+auditd.conf man page.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI04.04
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-000140
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ SR 7.1
+ SR 7.2
+ A.12.1.3
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.17.2.1
+ AU-5(b)
+ AU-5(2)
+ AU-5(1)
+ AU-5(4)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ PR.DS-4
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ SRG-OS-000047-GPOS-00023
+ Taking appropriate action in case of a filled audit storage volume will minimize
+the possibility of losing audit records.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+var_auditd_disk_full_action=''
+
+
+var_auditd_disk_full_action="$(echo $var_auditd_disk_full_action | cut -d \| -f 1)"
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/audit/auditd.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_full_action"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+ Configure auditd Disk Full Action when Disk Space Is Full
+ The auditd service can be configured to take an action
+when disk space is running low but prior to running out of space completely.
+Edit the file /etc/audit/auditd.conf. Add or modify the following line,
+substituting ACTION appropriately:
+disk_full_action = ACTION
+Set this value to single to cause the system to switch to single-user
+mode for corrective action. Acceptable values also include syslog,
+single, and halt. For certain systems, the need for availability
+outweighs the need to log all actions, and a different setting should be
+determined. Details regarding all possible values for ACTION are described in the
+auditd.conf man page.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI04.04
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-000140
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ SR 7.1
+ SR 7.2
+ A.12.1.3
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.17.2.1
+ AU-5(b)
+ AU-5(2)
+ AU-5(1)
+ AU-5(4)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ PR.DS-4
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ SRG-OS-000047-GPOS-00023
+ Taking appropriate action in case of a filled audit storage volume will minimize
+the possibility of losing audit records.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+var_auditd_disk_full_action=''
+
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/audit/auditd.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_full_action")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_disk_full_action"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+ Configure auditd mail_acct Action on Low Disk Space
+ The auditd service can be configured to send email to
+a designated account in certain situations. Add or correct the following line
+in /etc/audit/auditd.conf to ensure that administrators are notified
+via email for those situations:
+action_mail_acct =
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 5.4.1.1
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI04.04
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ 3.3.1
+ CCI-000139
+ CCI-001855
+ 164.312(a)(2)(ii)
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ SR 7.1
+ SR 7.2
+ A.12.1.3
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.17.2.1
+ CIP-003-8 R1.3
+ CIP-003-8 R3
+ CIP-003-8 R3.1
+ CIP-003-8 R3.2
+ CIP-003-8 R3.3
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.2.3
+ CIP-004-6 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.2
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ IA-5(1)
+ AU-5(a)
+ AU-5(2)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ PR.DS-4
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ Req-10.7.a
+ SRG-OS-000046-GPOS-00022
+ SRG-OS-000343-GPOS-00134
+ SRG-OS-000046-VMM-000210
+ SRG-OS-000343-VMM-001240
+ Email sent to the root account is typically aliased to the
+administrators of the system, who can take appropriate action.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+var_auditd_action_mail_acct=''
+
+
+AUDITCONFIG=/etc/audit/auditd.conf
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "$AUDITCONFIG"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^action_mail_acct")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_action_mail_acct"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^action_mail_acct\\>" "$AUDITCONFIG"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^action_mail_acct\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+ Configure auditd admin_space_left Action on Low Disk Space
+ The auditd service can be configured to take an action
+when disk space is running low but prior to running out of space completely.
+Edit the file /etc/audit/auditd.conf. Add or modify the following line,
+substituting ACTION appropriately:
+admin_space_left_action = ACTION
+Set this value to single to cause the system to switch to single user
+mode for corrective action. Acceptable values also include suspend and
+halt. For certain systems, the need for availability
+outweighs the need to log all actions, and a different setting should be
+determined. Details regarding all possible values for ACTION are described in the
+auditd.conf man page.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 5.4.1.1
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI04.04
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ 3.3.1
+ CCI-000140
+ CCI-001343
+ CCI-001855
+ 164.312(a)(2)(ii)
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ SR 7.1
+ SR 7.2
+ A.12.1.3
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.17.2.1
+ AU-5(b)
+ AU-5(2)
+ AU-5(1)
+ AU-5(4)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ PR.DS-4
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ Req-10.7
+ SRG-OS-000343-GPOS-00134
+ Administrators should be made aware of an inability to record
+audit records. If a separate partition or logical volume of adequate size
+is used, running low on space for audit records should never occur.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+var_auditd_admin_space_left_action=''
+
+
+AUDITCONFIG=/etc/audit/auditd.conf
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "$AUDITCONFIG"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^admin_space_left_action")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_admin_space_left_action"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^admin_space_left_action\\>" "$AUDITCONFIG"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^admin_space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+ Configure auditd Max Log File Size
+ Determine the amount of audit data (in megabytes)
+which should be retained in each log file. Edit the file
+/etc/audit/auditd.conf. Add or modify the following line, substituting
+the correct value of for STOREMB:
+max_log_file = STOREMB
+Set the value to 6 (MB) or higher for general-purpose systems.
+Larger values, of course,
+support retention of even more audit data.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 5.4.1.1
+ APO11.04
+ APO12.06
+ BAI03.05
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ CIP-004-6 R2.2.3
+ CIP-004-6 R3.3
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ CIP-007-3 R6.5
+ AU-11
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ Req-10.7
+ The total storage for audit log files must be large enough to retain
+log information over the period required. This is a function of the maximum
+log file size and the number of logs retained.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+var_auditd_max_log_file=''
+
+
+AUDITCONFIG=/etc/audit/auditd.conf
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "$AUDITCONFIG"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^max_log_file\\>" "$AUDITCONFIG"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^max_log_file\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+ Configure auditd max_log_file_action Upon Reaching Maximum Log Size
+ The default action to take when the logs reach their maximum size
+is to rotate the log files, discarding the oldest one. To configure the action taken
+by auditd, add or correct the line in /etc/audit/auditd.conf:
+max_log_file_action = ACTION
+Possible values for ACTION are described in the auditd.conf man
+page. These include:
+ignoresyslogsuspendrotatekeep_logs
+Set the ACTION to rotate to ensure log rotation
+occurs. This is the default. The setting is case-insensitive.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 5.4.1.1
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI04.04
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-000140
+ 164.312(a)(2)(ii)
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ SR 7.1
+ SR 7.2
+ A.12.1.3
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.17.2.1
+ AU-5(b)
+ AU-5(2)
+ AU-5(1)
+ AU-5(4)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ PR.DS-4
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ Req-10.7
+ SRG-OS-000047-GPOS-00023
+ Automatically rotating logs (by setting this to rotate)
+minimizes the chances of the system unexpectedly running out of disk space by
+being overwhelmed with log data. However, for systems that must never discard
+log data, or which use external processes to transfer it and reclaim space,
+keep_logs can be employed.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+var_auditd_max_log_file_action=''
+
+
+AUDITCONFIG=/etc/audit/auditd.conf
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "$AUDITCONFIG"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^max_log_file_action")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_max_log_file_action"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^max_log_file_action\\>" "$AUDITCONFIG"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+ Configure auditd max_log_file_action Upon Reaching Maximum Log Size
+ The default action to take when the logs reach their maximum size
+is to rotate the log files, discarding the oldest one. To configure the action taken
+by auditd, add or correct the line in /etc/audit/auditd.conf:
+max_log_file_action = ACTION
+Possible values for ACTION are described in the auditd.conf man
+page. These include:
+ignoresyslogsuspendrotatekeep_logs
+Set the ACTION to rotate to ensure log rotation
+occurs. This is the default. The setting is case-insensitive.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI04.04
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-000140
+ 164.312(a)(2)(ii)
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ SR 7.1
+ SR 7.2
+ A.12.1.3
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.17.2.1
+ AU-5(b)
+ AU-5(2)
+ AU-5(1)
+ AU-5(4)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ PR.DS-4
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ Req-10.7
+ SRG-OS-000047-GPOS-00023
+ Automatically rotating logs (by setting this to rotate)
+minimizes the chances of the system unexpectedly running out of disk space by
+being overwhelmed with log data. However, for systems that must never discard
+log data, or which use external processes to transfer it and reclaim space,
+keep_logs can be employed.
+
+
+
+
+
+
+
+
+ Configure auditd Number of Logs Retained
+ Determine how many log files
+auditd should retain when it rotates logs.
+Edit the file /etc/audit/auditd.conf. Add or modify the following
+line, substituting NUMLOGS with the correct value of :
+num_logs = NUMLOGS
+Set the value to 5 for general-purpose systems.
+Note that values less than 2 result in no log rotation.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 5.4.1.1
+ APO11.04
+ APO12.06
+ BAI03.05
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ 3.3.1
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ CIP-004-6 R2.2.3
+ CIP-004-6 R3.3
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ CIP-007-3 R6.5
+ AU-11
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ Req-10.7
+ The total storage for audit log files must be large enough to retain
+log information over the period required. This is a function of the maximum log
+file size and the number of logs retained.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+var_auditd_num_logs=''
+
+
+AUDITCONFIG=/etc/audit/auditd.conf
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "$AUDITCONFIG"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^num_logs")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_num_logs"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^num_logs\\>" "$AUDITCONFIG"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^num_logs\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+ Configure auditd space_left Action on Low Disk Space
+ The auditd service can be configured to take an action
+when disk space starts to run low.
+Edit the file /etc/audit/auditd.conf. Modify the following line,
+substituting ACTION appropriately:
+space_left_action = ACTION
+Possible values for ACTION are described in the auditd.conf man page.
+These include:
+syslogemailexecsuspendsinglehalt
+Set this to email (instead of the default,
+which is suspend) as it is more likely to get prompt attention. Acceptable values
+also include suspend, single, and halt.
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 19
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 5.4.1.1
+ APO11.04
+ APO12.06
+ APO13.01
+ BAI03.05
+ BAI04.04
+ BAI08.02
+ DSS02.02
+ DSS02.04
+ DSS02.07
+ DSS03.01
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ 3.3.1
+ CCI-001855
+ 164.312(a)(2)(ii)
+ 4.2.3.10
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.3.4.5.6
+ 4.3.4.5.7
+ 4.3.4.5.8
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ SR 7.1
+ SR 7.2
+ A.12.1.3
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.16.1.4
+ A.16.1.5
+ A.16.1.7
+ A.17.2.1
+ AU-5(b)
+ AU-5(2)
+ AU-5(1)
+ AU-5(4)
+ CM-6(a)
+ DE.AE-3
+ DE.AE-5
+ PR.DS-4
+ PR.PT-1
+ RS.AN-1
+ RS.AN-4
+ Req-10.7
+ SRG-OS-000343-GPOS-00134
+ SRG-OS-000343-VMM-001240
+ Notifying administrators of an impending disk space problem may
+allow them to take corrective action prior to any disruption.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+var_auditd_space_left_action=''
+
+
+#
+# If space_left_action present in /etc/audit/auditd.conf, change value
+# to var_auditd_space_left_action, else
+# add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf
+#
+
+AUDITCONFIG=/etc/audit/auditd.conf
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "$AUDITCONFIG"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^space_left_action")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_space_left_action"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^space_left_action\\>" "$AUDITCONFIG"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+ Set number of records to cause an explicit flush to audit logs
+ To configure Audit daemon to issue an explicit flush to disk command
+after writing records, set freq to
+in /etc/audit/auditd.conf.
+ CM-6
+ FAU_GEN.1
+ SRG-OS-000051-GPOS-00024
+ If option freq isn't set to , the flush to disk
+may happen after higher number of records, increasing the danger
+of audit loss.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+if [ -e "/etc/audit/auditd.conf" ] ; then
+
+ LC_ALL=C sed -i "/^\s*freq\s*=\s*/Id" "/etc/audit/auditd.conf"
+else
+ touch "/etc/audit/auditd.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/audit/auditd.conf"
+
+cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "freq = 50" >> "/etc/audit/auditd.conf"
+# Clean up after ourselves.
+rm "/etc/audit/auditd.conf.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-53-CM-6
+ - auditd_freq
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Set number of records to cause an explicit flush to audit logs
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/audit/auditd.conf
+ create: false
+ regexp: (?i)^\s*freq\s*=\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/audit/auditd.conf
+ lineinfile:
+ path: /etc/audit/auditd.conf
+ create: false
+ regexp: (?i)^\s*freq\s*=\s*
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/audit/auditd.conf
+ lineinfile:
+ path: /etc/audit/auditd.conf
+ create: true
+ regexp: (?i)^\s*freq\s*=\s*
+ line: freq = 50
+ state: present
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6
+ - auditd_freq
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Include Local Events in Audit Logs
+ To configure Audit daemon to include local events in Audit logs, set
+local_events to yes in /etc/audit/auditd.conf.
+This is the default setting.
+ CCI-000366
+ CM-6
+ FAU_GEN.1
+ SRG-OS-000062-GPOS-00031
+ SRG-OS-000480-GPOS-00227
+ If option local_events isn't set to yes only events from
+network will be aggregated.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+if [ -e "/etc/audit/auditd.conf" ] ; then
+
+ LC_ALL=C sed -i "/^\s*local_events\s*=\s*/Id" "/etc/audit/auditd.conf"
+else
+ touch "/etc/audit/auditd.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/audit/auditd.conf"
+
+cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "local_events = yes" >> "/etc/audit/auditd.conf"
+# Clean up after ourselves.
+rm "/etc/audit/auditd.conf.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-53-CM-6
+ - auditd_local_events
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Include Local Events in Audit Logs
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/audit/auditd.conf
+ create: false
+ regexp: (?i)^\s*local_events\s*=\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/audit/auditd.conf
+ lineinfile:
+ path: /etc/audit/auditd.conf
+ create: false
+ regexp: (?i)^\s*local_events\s*=\s*
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/audit/auditd.conf
+ lineinfile:
+ path: /etc/audit/auditd.conf
+ create: true
+ regexp: (?i)^\s*local_events\s*=\s*
+ line: local_events = yes
+ state: present
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6
+ - auditd_local_events
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Resolve information before writing to audit logs
+ To configure Audit daemon to resolve all uid, gid, syscall,
+architecture, and socket address information before writing the
+events to disk, set log_format to ENRICHED
+in /etc/audit/auditd.conf.
+ CCI-000366
+ CM-6
+ AU-3
+ FAU_GEN.1.2
+ SRG-OS-000255-GPOS-00096
+ SRG-OS-000480-GPOS-00227
+ If option log_format isn't set to ENRICHED, the
+audit records will be stored in a format exactly as the kernel sends them.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+if [ -e "/etc/audit/auditd.conf" ] ; then
+
+ LC_ALL=C sed -i "/^\s*log_format\s*=\s*/Id" "/etc/audit/auditd.conf"
+else
+ touch "/etc/audit/auditd.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/audit/auditd.conf"
+
+cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "log_format = ENRICHED" >> "/etc/audit/auditd.conf"
+# Clean up after ourselves.
+rm "/etc/audit/auditd.conf.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-53-AU-3
+ - NIST-800-53-CM-6
+ - auditd_log_format
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Resolve information before writing to audit logs
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/audit/auditd.conf
+ create: false
+ regexp: (?i)^\s*log_format\s*=\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/audit/auditd.conf
+ lineinfile:
+ path: /etc/audit/auditd.conf
+ create: false
+ regexp: (?i)^\s*log_format\s*=\s*
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/audit/auditd.conf
+ lineinfile:
+ path: /etc/audit/auditd.conf
+ create: true
+ regexp: (?i)^\s*log_format\s*=\s*
+ line: log_format = ENRICHED
+ state: present
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AU-3
+ - NIST-800-53-CM-6
+ - auditd_log_format
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Set hostname as computer node name in audit logs
+ To configure Audit daemon to use value returned by gethostname
+syscall as computer node name in the audit events,
+set name_format to hostname
+in /etc/audit/auditd.conf.
+ CCI-001851
+ CM-6
+ AU-3
+ FAU_GEN.1.2
+ SRG-OS-000039-GPOS-00017
+ SRG-OS-000342-GPOS-00133
+ SRG-OS-000479-GPOS-00224
+ If option name_format is left at its default value of
+none, audit events from different computers may be hard
+to distinguish.
+
+
+
+
+
+
+
+
+ Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
+ The audit system should have an action setup in the event the internal event queue becomes full.
+To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action
+to one of the following values: syslog, single, halt.
+ CCI-001851
+ AU-4(1)
+ SRG-OS-000342-GPOS-00133
+ SRG-OS-000479-GPOS-00224
+ The audit system should have an action setup in the event the internal event queue becomes full
+so that no data is lost.
+
+
+
+
+
+
+
+
+ Write Audit Logs to the Disk
+ To configure Audit daemon to write Audit logs to the disk, set
+write_logs to yes in /etc/audit/auditd.conf.
+This is the default setting.
+ CM-6
+ FAU_STG.1
+ SRG-OS-000480-GPOS-00227
+ If write_logs isn't set to yes, the Audit logs will
+not be written to the disk.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then
+
+if [ -e "/etc/audit/auditd.conf" ] ; then
+
+ LC_ALL=C sed -i "/^\s*write_logs\s*=\s*/Id" "/etc/audit/auditd.conf"
+else
+ touch "/etc/audit/auditd.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/audit/auditd.conf"
+
+cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "write_logs = yes" >> "/etc/audit/auditd.conf"
+# Clean up after ourselves.
+rm "/etc/audit/auditd.conf.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-53-CM-6
+ - auditd_write_logs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Write Audit Logs to the Disk
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/audit/auditd.conf
+ create: false
+ regexp: (?i)^\s*write_logs\s*=\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/audit/auditd.conf
+ lineinfile:
+ path: /etc/audit/auditd.conf
+ create: false
+ regexp: (?i)^\s*write_logs\s*=\s*
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/audit/auditd.conf
+ lineinfile:
+ path: /etc/audit/auditd.conf
+ create: true
+ regexp: (?i)^\s*write_logs\s*=\s*
+ line: write_logs = yes
+ state: present
+ when:
+ - '"auditd" in ansible_facts.packages'
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6
+ - auditd_write_logs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+
+ System Accounting with auditd
+ The auditd program can perform comprehensive
+monitoring of system activity. This section makes use of recommended
+configuration settings for specific policies or use cases.
+The rules in this section make use of rules defined in /usr/share/doc/audit-VERSION/rules.
+
+
+
+
+ AppArmor
+ Many security vulnerabilities result from bugs in trusted programs. A trusted
+program runs with privileges that attackers want to possess. The program fails
+to keep that trust if there is a bug in the program that allows the attacker to
+acquire said privilege.
+
+AppArmor® is an application security solution designed specifically to apply
+privilege confinement to suspect programs. AppArmor allows the administrator to
+specify the domain of activities the program can perform by developing a
+security profile. A security profile is a listing of files that the program may
+access and the operations the program may perform. AppArmor secures
+applications by enforcing good application behavior without relying on attack
+signatures, so it can prevent attacks even if previously unknown
+vulnerabilities are being exploited.
+
+
+ GRUB2 bootloader configuration
+ During the boot process, the boot loader is
+responsible for starting the execution of the kernel and passing
+options to it. The boot loader allows for the selection of
+different kernels - possibly on different partitions or media.
+The default Ubuntu 18.04 boot loader for x86 systems is called GRUB2.
+Options it can pass to the kernel include single-user mode, which
+provides root access without any authentication, and the ability to
+disable SELinux. To prevent local users from modifying the boot
+parameters and endangering security, protect the boot loader configuration
+with a password and ensure its configuration file's permissions
+are set properly.
+
+
+ L1TF vulnerability mitigation
+ Defines the L1TF vulneratility mitigations to employ.
+ flush
+ full
+ full,force
+ flush
+ flush,nosmt
+ flush,nowarn
+
+
+ MDS vulnerability mitigation
+ Defines the MDS vulneratility mitigation to employ.
+ full
+ full
+ full,nosmt
+
+
+ Confidence level on Hardware Random Number Generator
+ Defines the level of trust on the hardware random number generators available in the
+system and the percentage of entropy to credit.
+ 500
+ 500
+ 512
+ 1000
+
+
+ Spec Store Bypass Mitigation
+ This controls how the Speculative Store Bypass (SSB) vulnerability is mitigated.
+ prctl
+ on
+ auto
+ prctl
+ seccomp
+
+
+ Disable Recovery Booting
+ Ubuntu 18.04 systems support an "recovery boot" option that can be used
+to prevent services from being started. The GRUB_DISABLE_RECOVERY
+configuration option in /etc/default/grub should be set to
+true to disable the generation of recovery mode menu entries. It is
+also required to change the runtime configuration, run:
+$ sudo update-grub
+ FIA_UAU.1
+ Using recovery boot, the console user could disable auditing, firewalls,
+or other services, weakening system security.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed; then
+
+if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then
+ sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub"
+else
+ echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub'
+fi
+
+update-grub
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - grub2_disable_recovery
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Verify GRUB_DISABLE_RECOVERY=true
+ lineinfile:
+ path: /etc/default/grub
+ regexp: ^GRUB_DISABLE_RECOVERY=.*
+ line: GRUB_DISABLE_RECOVERY=true
+ state: present
+ when: '"grub2-common" in ansible_facts.packages'
+ tags:
+ - grub2_disable_recovery
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: Update grub defaults and the bootloader menu
+ command: /sbin/grubby --update-kernel=ALL
+ when: '"grub2-common" in ansible_facts.packages'
+ tags:
+ - grub2_disable_recovery
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ IOMMU configuration directive
+ On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some
+ of the system critical units such as the memory.
+To ensure that iommu=force is added as a kernel command line
+argument to newly installed kernels, add iommu=force to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... iommu=force ..."
+Run the following command to update command line for already installed kernels:# update-grub
+ Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities. Proper function and stability should be assessed before applying remediation to production systems.
+ BP28(R11)
+ On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by
+ hardware devices.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Correct the form of default kernel command line in GRUB
+if grep -q '^GRUB_CMDLINE_LINUX=.*iommu=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an iommu= arg already exists
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)iommu=[^[:space:]]\+\(.*\"\)/\1iommu=force\2/" '/etc/default/grub'
+else
+ # no iommu=arg is present, append it
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)\"/\1 iommu=force\"/" '/etc/default/grub'
+fi
+update-grub
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ [customizations.kernel]
+append = "iommu=force"
+
+
+
+
+
+
+
+
+
+ Configure L1 Terminal Fault mitigations
+ L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged
+speculative access to data which is available in the Level 1 Data Cache when
+the page table entry isn't present.
+
+Select the appropriate mitigation by adding the argument
+l1tf= to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that l1tf= is added as a kernel command line
+argument to newly installed kernels, add l1tf= to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... l1tf= ..."
+Run the following command to update command line for already installed kernels:# update-grub
+
+Since Linux Kernel 4.19 you can check the L1TF vulnerability state with the
+following command:
+cat /sys/devices/system/cpu/vulnerabilities/l1tf
+ Enabling L1TF mitigations may impact performance of the system.
+ The L1TF vulnerability allows an attacker to bypass memory access security controls imposed
+by the system or hypervisor. The L1TF vulnerability allows read access to any physical memory
+location that is cached in the L1 Data Cache.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+var_l1tf_options=''
+
+
+
+
+# Correct the form of default kernel command line in GRUB
+if grep -q '^GRUB_CMDLINE_LINUX=.*l1tf=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an l1tf= arg already exists
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)l1tf=[^[:space:]]\+\(.*\"\)/\1l1tf=$var_l1tf_options\2/" '/etc/default/grub'
+else
+ # no l1tf=arg is present, append it
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)\"/\1 l1tf=$var_l1tf_options\"/" '/etc/default/grub'
+fi
+update-grub
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ [customizations.kernel]
+append = "l1tf="
+
+
+
+
+
+
+
+
+
+
+ Force kernel panic on uncorrected MCEs
+ A Machine Check Exception is an error generated by the CPU itdetects an error
+in itself, memory or I/O devices.
+These errors may be corrected and generate a check log entry, if an error
+cannot be corrected the kernel may panic or SIGBUS.
+
+To force the kernel to panic on any uncorrected error reported by Machine Check
+set the MCE tolerance to zero by adding mce=0
+to the default GRUB 2 command line for the Linux operating system.
+To ensure that mce=0 is added as a kernel command line
+argument to newly installed kernels, add mce=0 to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... mce=0 ..."
+Run the following command to update command line for already installed kernels:# update-grub
+ Allowing uncorrected errors to result on a SIGBUS may allow an attacker to continue
+trying to exploit a vulnerability such as Rowhammer.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Correct the form of default kernel command line in GRUB
+if grep -q '^GRUB_CMDLINE_LINUX=.*mce=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an mce= arg already exists
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)mce=[^[:space:]]\+\(.*\"\)/\1mce=0\2/" '/etc/default/grub'
+else
+ # no mce=arg is present, append it
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)\"/\1 mce=0\"/" '/etc/default/grub'
+fi
+update-grub
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ [customizations.kernel]
+append = "mce=0"
+
+
+
+
+
+
+
+
+
+ Ensure SMAP is not disabled during boot
+ The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
+memory pages in the user space, it is enabled by default since Linux kernel 3.7.
+But it could be disabled through kernel boot parameters.
+
+Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by
+the nosmap boot paramenter option.
+
+Check that the line GRUB_CMDLINE_LINUX="..." within /etc/default/grub
+doesn't contain the argument nosmap.
+Run the following command to update command line for already installed kernels:
+# grubby --update-kernel=ALL --remove-args="nosmap"
+ Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and
+manipulation of data in the user space.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Correct the form of default kernel command line in GRUB
+if grep -q '^GRUB_CMDLINE_LINUX=.*nosmap=.*"' '/etc/default/grub' ; then
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)nosmap=?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
+fi
+update-grub
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+ Ensure SMEP is not disabled during boot
+ The SMEP is used to prevent the supervisor mode from executing user space code,
+it is enabled by default since Linux kernel 3.0. But it could be disabled through
+kernel boot parameters.
+
+Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
+the nosmep boot paramenter option.
+
+Check that the line GRUB_CMDLINE_LINUX="..." within /etc/default/grub
+doesn't contain the argument nosmep.
+Run the following command to update command line for already installed kernels:
+# grubby --update-kernel=ALL --remove-args="nosmep"
+ Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
+the kernel to unintentionally execute code in less privileged memory space.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Correct the form of default kernel command line in GRUB
+if grep -q '^GRUB_CMDLINE_LINUX=.*nosmep=.*"' '/etc/default/grub' ; then
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)nosmep=?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
+fi
+update-grub
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+ Configure the confidence in TPM for entropy
+ The TPM security chip that is available in most modern systems has a hardware RNG.
+It is also used to feed the entropy pool, but generally not credited entropy.
+
+Use rng_core.default_quality in the kernel command line to set the trust
+level on the hardware generators. The trust level defines the amount of entropy to credit.
+A value of 0 tells the system not to trust the hardware random number generators
+available, and doesn't credit any entropy to the pool.
+A value of 1000 assigns full confidence in the generators, and credits all the
+entropy it provides to the pool.
+
+Note that the value of rng_core.default_quality is global, affecting the trust
+on all hardware random number generators.
+
+Select the appropriate confidence by adding the argument
+rng_core.default_quality= to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that rng_core.default_quality= is added as a kernel command line
+argument to newly installed kernels, add rng_core.default_quality= to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... rng_core.default_quality= ..."
+Run the following command to update command line for already installed kernels:# update-grub
+ A system may struggle to initialize its entropy pool and end up starving. Crediting entropy
+from the hardware number generators available in the system helps fill up the entropy pool.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+var_rng_core_default_quality=''
+
+
+
+
+# Correct the form of default kernel command line in GRUB
+if grep -q '^GRUB_CMDLINE_LINUX=.*rng_core.default_quality=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an rng_core.default_quality= arg already exists
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)rng_core.default_quality=[^[:space:]]\+\(.*\"\)/\1rng_core.default_quality=$var_rng_core_default_quality\2/" '/etc/default/grub'
+else
+ # no rng_core.default_quality=arg is present, append it
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)\"/\1 rng_core.default_quality=$var_rng_core_default_quality\"/" '/etc/default/grub'
+fi
+update-grub
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ [customizations.kernel]
+append = "rng_core.default_quality="
+
+
+
+
+
+
+
+
+
+
+ Disable merging of slabs with similar size
+ The kernel may merge similar slabs together to reduce overhead and increase
+cache hotness of objects.
+Disabling merging of slabs keeps the slabs separate and reduces the risk of
+kernel heap overflows overwriting objects in merged caches.
+
+To disable merging of slabs in the Kernel add the argument slab_nomerge=yes
+to the default GRUB 2 command line for the Linux operating system.
+To ensure that slab_nomerge=yes is added as a kernel command line
+argument to newly installed kernels, add slab_nomerge=yes to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... slab_nomerge=yes ..."
+Run the following command to update command line for already installed kernels:# update-grub
+ Disabling merge of slabs will slightly increase kernel memory utilization.
+ Disabling the merge of slabs of similar sizes prevents the kernel from
+merging a seemingly useless but vulnerable slab with a useful and valuable slab.
+This increase the risk that a heap overflow could overwrite objects from merged caches,
+with unmerged caches the heap overflow would only affect the objects in the same cache.
+Overall, this reduces the kernel attack surface area by isolating slabs from each other.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Correct the form of default kernel command line in GRUB
+if grep -q '^GRUB_CMDLINE_LINUX=.*slab_nomerge=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an slab_nomerge= arg already exists
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)slab_nomerge=[^[:space:]]\+\(.*\"\)/\1slab_nomerge=yes\2/" '/etc/default/grub'
+else
+ # no slab_nomerge=arg is present, append it
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)\"/\1 slab_nomerge=yes\"/" '/etc/default/grub'
+fi
+update-grub
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ [customizations.kernel]
+append = "slab_nomerge=yes"
+
+
+
+
+
+
+
+
+
+ Configure Speculative Store Bypass Mitigation
+ Certain CPUs are vulnerable to an exploit against a common wide industry wide performance
+optimization known as Speculative Store Bypass (SSB).
+
+In such cases, recent stores to the same memory location cannot always be observed by later
+loads during speculative execution. However, such stores are unlikely and thus they can be
+detected prior to instruction retirement at the end of a particular speculation execution
+window.
+
+Since Linux Kernel 4.17 you can check the SSB mitigation state with the following command:
+cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
+
+Select the appropriate SSB state by adding the argument
+spec_store_bypass_disable= to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that spec_store_bypass_disable= is added as a kernel command line
+argument to newly installed kernels, add spec_store_bypass_disable= to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... spec_store_bypass_disable= ..."
+Run the following command to update command line for already installed kernels:# update-grub
+ Disabling Speculative Store Bypass may impact performance of the system.
+ In vulnerable processsors, the speculatively forwarded store can be used in a cache side channel
+attack. An example of this is reading memory to which the attacker does not directly have access,
+for example inside the sandboxed code.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+var_spec_store_bypass_disable_options=''
+
+
+
+
+# Correct the form of default kernel command line in GRUB
+if grep -q '^GRUB_CMDLINE_LINUX=.*spec_store_bypass_disable=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an spec_store_bypass_disable= arg already exists
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)spec_store_bypass_disable=[^[:space:]]\+\(.*\"\)/\1spec_store_bypass_disable=$var_spec_store_bypass_disable_options\2/" '/etc/default/grub'
+else
+ # no spec_store_bypass_disable=arg is present, append it
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)\"/\1 spec_store_bypass_disable=$var_spec_store_bypass_disable_options\"/" '/etc/default/grub'
+fi
+update-grub
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ [customizations.kernel]
+append = "spec_store_bypass_disable="
+
+
+
+
+
+
+
+
+
+
+ Enforce Spectre v2 mitigation
+ Spectre V2 is an indirect branch poisoning attack that can lead to data leakage.
+An exploit for Spectre V2 tricks the indirect branch predictor into executing
+code from a future indirect branch chosen by the attacker, even if the privilege
+level is different.
+
+Since Linux Kernel 4.15 you can check the Spectre V2 mitigation state with the following command:
+cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
+
+Enforce the Spectre V2 mitigation by adding the argument
+spectre_v2=on to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that spectre_v2=on) is added as a kernel command line
+argument to newly installed kernels, add spectre_v2=on) to the
+default Grub2 command line for Linux operating systems. Modify the line within
+/etc/default/grub as shown below:
+GRUB_CMDLINE_LINUX="... spectre_v2=on) ..."
+Run the following command to update command line for already installed kernels:# update-grub
+ The Spectre V2 vulnerability allows an attacker to read memory that he should not have
+access to.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Correct the form of default kernel command line in GRUB
+if grep -q '^GRUB_CMDLINE_LINUX=.*spectre_v2=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an spectre_v2= arg already exists
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)spectre_v2=[^[:space:]]\+\(.*\"\)/\1spectre_v2=on\2/" '/etc/default/grub'
+else
+ # no spectre_v2=arg is present, append it
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)\"/\1 spectre_v2=on\"/" '/etc/default/grub'
+fi
+update-grub
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ [customizations.kernel]
+append = "spectre_v2=on"
+
+
+
+
+
+
+
+
+
+ Ensure debug-shell service is not enabled during boot
+ systemd's debug-shell service is intended to
+diagnose systemd related boot issues with various systemctl
+commands. Once enabled and following a system reboot, the root shell
+will be available on tty9 which is access by pressing
+CTRL-ALT-F9. The debug-shell service should only be used
+for systemd related issues and should otherwise be disabled.
+
+By default, the debug-shell systemd service is already disabled.
+
+Ensure the debug-shell is not enabled by the systemd.debug-shel=1
+boot paramenter option.
+
+Check that the line GRUB_CMDLINE_LINUX="..." within /etc/default/grub
+doesn't contain the argument systemd.debug-shell=1.
+Run the following command to update command line for already installed kernels:
+# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
+ FIA_UAU.1
+ This prevents attackers with physical access from trivially bypassing security
+on the machine through valid troubleshooting configurations and gaining root
+access when the system is rebooted.
+
+ # Remediation is applicable only in certain platforms
+if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+
+# Correct the form of default kernel command line in GRUB
+if grep -q '^GRUB_CMDLINE_LINUX=.*systemd.debug-shell=.*"' '/etc/default/grub' ; then
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)systemd.debug-shell=?[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
+fi
+update-grub
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+ Non-UEFI GRUB2 bootloader configuration
+ Non-UEFI GRUB2 bootloader configuration
+
+
+
+ UEFI GRUB2 bootloader configuration
+ UEFI GRUB2 bootloader configuration
+
+
+
+
+ zIPL bootloader configuration
+ During the boot process, the bootloader is
+responsible for starting the execution of the kernel and passing
+options to it.
+The default Ubuntu 18.04 boot loader for s390x systems is called zIPL.
+
+
+
+ Protect Random-Number Entropy Pool
+ The I/O operations of the Linux kernel block layer due to their inherently
+unpredictable execution times have been traditionally considered as a reliable
+source to contribute to random-number entropy pool of the Linux kernel. This
+has changed with introduction of solid-state storage devices (SSDs) though.
+
+
+ Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool
+ For each solid-state drive on the system, run:
+ # echo 0 > /sys/block/DRIVE/queue/add_random
+ In contrast to traditional electromechanical magnetic disks, containing
+spinning disks and / or movable read / write heads, the solid-state storage
+devices (SSDs) do not contain moving / mechanical components. Therefore the
+I/O operation completion times are much more predictable for them.
+
+
+
+ Kernel Configuration
+ Contains rules that check the kernel configuration that was used to build it.
+
+
+ Hash function for kernel module signing
+ The hash function to use when signing modules during kernel build process.
+ sha512
+ sha1
+ sha224
+ sha256
+ sha384
+ sha512
+
+
+ Key and certificate for kernel module signing
+ The private key and certificate to use when signing modules during kernel build process.
+On systems where the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI as defined by RFC7512
+In the latter case, the PKCS#11 URI should reference both a certificate and a private key.
+ certs/signing_key.pem
+ certs/signing_key.pem
+
+
+ Kernel panic timeout
+ The time, in seconds, to wait until a reboot occurs.
+If the value is 0 the system never reboots.
+If the value is less than 0 the system reboots immediately.
+ 0
+ 0
+ 300
+ 60
+ -1
+
+
+ Do not allow ACPI methods to be inserted/replaced at run time
+ This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting
+the system.
+This configuration is available from kernel 3.0.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_ACPI_CUSTOM_METHOD, run the following command:
+ grep CONFIG_ACPI_CUSTOM_METHOD /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Enabling this feature allows arbitrary kernel memory to be written to by root (uid=0) users,
+allowing them to bypass certain security measures
+
+
+
+
+
+
+
+
+ Disable kernel support for MISC binaries
+ Enabling CONFIG_BINFMT_MISC makes it possible to plug wrapper-driven binary formats
+into the kernel. This is specially useful for programs that need an interpreter to run like
+Java, Python and DOS emulators. Once you have registered such a binary class with the kernel,
+you can start one of those programs simply by typing in its name at a shell prompt.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_BINFMT_MISC, run the following command:
+ grep CONFIG_BINFMT_MISC /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This disables arbitrary binary format support and helps reduce attack surface.
+
+
+
+
+
+
+
+
+ Enable support for BUG()
+ Disabling this option eliminates support for BUG and WARN, reducing the size of your kernel
+image and potentially quietly ignoring numerous fatal conditions. You should only consider
+disabling this option for embedded systems with no facilities for reporting errors.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_BUG, run the following command:
+ grep CONFIG_BUG /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Not setting this variable may hide a number of critical errors.
+
+
+
+
+
+
+
+
+ Disable compatibility with brk()
+ Enabling compatiliby with brk() allows legacy binaries to run (i.e. those linked
+against libc5). But this compatibility comes at the cost of not being able to randomize
+the heap placement (ASLR).
+
+Unless legacy binaries need to run on the system, set CONFIG_COMPAT_BRK to "n".
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_COMPAT_BRK, run the following command:
+ grep CONFIG_COMPAT_BRK /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Enabling compatibility with brk() disables support for ASLR.
+
+
+
+
+
+
+
+
+ Disable the 32-bit vDSO
+ Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO
+that is not mapped at the address indicated in its segment table.
+Setting CONFIG_COMPAT_VDSO to y turns off the 32-bit VDSO and works
+aroud the glibc bug.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_COMPAT_VDSO, run the following command:
+ grep CONFIG_COMPAT_VDSO /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Enabling VDSO compatibility hurts performance and disables ASLR.
+
+
+
+
+
+
+
+
+ Enable checks on credential management
+ Enable this to turn on some debug checking for credential management. The additional code keeps
+track of the number of pointers from task_structs to any given cred struct, and checks to see
+that this number never exceeds the usage count of the cred struct.
+
+Furthermore, if SELinux is enabled, this also checks that the security pointer in the cred
+struct is never seen to be invalid.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_DEBUG_CREDENTIALS, run the following command:
+ grep CONFIG_DEBUG_CREDENTIALS /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This adds sanity checks and validations to credential data structures.
+
+
+
+
+
+
+
+
+ Disable kernel debugfs
+ debugfs is a virtual file system that kernel developers use to put debugging files
+into. Enable this option to be able to read and write to these files.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_DEBUG_FS, run the following command:
+ grep CONFIG_DEBUG_FS /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ To reduce the attack surface, this file system should be disabled if not in use.
+
+
+
+
+
+
+
+
+ Enable checks on linked list manipulation
+ Enable this to turn on extended checks in the linked-list walking routines.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_DEBUG_LIST, run the following command:
+ grep CONFIG_DEBUG_LIST /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This add sanity checks to manipulation of linked lists structures in the kernel and may
+prevent exploits such as CVE-2017-1661, where a race condition and simultaneos operations
+caused a list to corrupt.
+
+
+
+
+
+
+
+
+ Enable checks on notifier call chains
+ Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel
+developers to make sure that modules properly unregister themselves from notifier chains.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_DEBUG_NOTIFIERS, run the following command:
+ grep CONFIG_DEBUG_NOTIFIERS /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This provides validation of notifier chains, it checks whether the notifiers are from the
+kernel or a module that is still loaded prior to being invoked.
+
+
+
+
+
+
+
+
+ Enable checks on scatter-gather (SG) table operations
+ Scatter-gather tables are mechanism used for high performance I/O on DMA devices.
+Enable this to turn on checks on scatter-gather tables.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_DEBUG_SG, run the following command:
+ grep CONFIG_DEBUG_SG /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This can help find problems with drivers that do not properly initialize their SG tables.
+
+
+
+
+
+
+
+
+ Configure low address space to protect from user allocation
+ This is the portion of low virtual memory which should be protected from userspace allocation.
+This configuration is available from kernel 3.14, but may be available if backported
+by distros.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_DEFAULT_MMAP_MIN_ADDR, run the following command:
+ grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config-*
+
+ For each kernel installed, a line with value "65536" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.
+
+
+
+
+
+
+
+
+ Disable /dev/kmem virtual device support
+ Disable support for the /dev/kmem device.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_DEVKMEM, run the following command:
+ grep CONFIG_DEVKMEM /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ The /dev/kmem device is rarely used, but can be used for certain kind of kernel debugging
+operations.
+
+
+
+
+
+
+
+
+ Disable hibernation
+ Enable the suspend to disk (STD) functionality, which is usually called "hibernation" in user
+interfaces. STD checkpoints the system and powers it off; and restores that checkpoint on
+reboot.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_HIBERNATION, run the following command:
+ grep CONFIG_HIBERNATION /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Suspending to disk allows one to replace the running kernel.
+
+
+
+
+
+
+
+
+ Disable IA32 emulation
+ Disables support for legacy 32-bit programs under a 64-bit kernel.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_IA32_EMULATION, run the following command:
+ grep CONFIG_IA32_EMULATION /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Only disable support for 32-bit programs if you are sure you don't need any 32-bit program.
+ Disabling 32-bit backwards compatibility helps reduce the attack surface.
+
+
+
+
+
+
+
+
+ Disable the IPv6 protocol
+ Disable support for IP version 6 (IPv6).
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_IPV6, run the following command:
+ grep CONFIG_IPV6 /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Any unnecessary network stacks, including IPv6, should be disabled to reduce
+the vulnerability to exploitation.
+
+
+
+
+
+
+
+
+ Disable kexec system call
+ kexec is a system call that implements the ability to shutdown your current kernel,
+and to start another kernel. It is like a reboot but it is independent of the system firmware.
+And like a reboot you can start any kernel with it, not just Linux.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_KEXEC, run the following command:
+ grep CONFIG_KEXEC /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Prohibits the execution of a new kernel image after reboot.
+
+
+
+
+
+
+
+
+ Disable legacy (BSD) PTY support
+ Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for
+slaves of pseudo terminals, and use only the modern ptys (devpts) interface.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_LEGACY_PTYS, run the following command:
+ grep CONFIG_LEGACY_PTYS /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ The legacy scheme has a number of security problems.
+
+
+
+
+
+
+
+
+ Enable module signature verification
+ Check modules for valid signatures upon load.
+Note that this option adds the OpenSSL development packages as a kernel build dependency so
+that the signing tool can use its crypto library.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_MODULE_SIG, run the following command:
+ grep CONFIG_MODULE_SIG /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Loaded modules must be signed.
+
+
+
+
+
+
+
+
+ Enable automatic signing of all modules
+ Sign all modules during make modules_install. Without this option, modules must be signed
+manually, using the scripts/sign-file tool.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_MODULE_SIG_ALL, run the following command:
+ grep CONFIG_MODULE_SIG_ALL /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This ensures the modules are signed during install process.
+
+
+
+
+
+
+
+
+ Require modules to be validly signed
+ Reject unsigned modules or signed modules with an unknown key.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_MODULE_SIG_FORCE, run the following command:
+ grep CONFIG_MODULE_SIG_FORCE /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Prevent loading modules that are unsigned or signed with an unknown key.
+
+
+
+
+
+
+
+
+ Specify the hash to use when signing modules
+ This configures the kernel to build and sign modules using
+ as the hash function.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_MODULE_SIG_HASH, run the following command:
+ grep CONFIG_MODULE_SIG_HASH /boot/config-*
+
+ For each kernel installed, a line with value "" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Use of strong hash function is important to secure the module against counterfeit signatures.
+
+
+
+
+
+
+
+
+
+ Specify module signing key to use
+ Setting this option to something other than its default of certs/signing_key.pem will
+disable the autogeneration of signing keys and allow the kernel modules to be signed with a key
+of your choosing.
+
+The string provided should identify a file containing both a private key and
+its corresponding X.509 certificate in PEM form, or — on systems where the OpenSSL ENGINE_pkcs11
+is functional — a PKCS#11 URI as defined by RFC7512. In the latter case, the PKCS#11 URI should
+reference both a certificate and a private key.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_MODULE_SIG_KEY, run the following command:
+ grep CONFIG_MODULE_SIG_KEY /boot/config-*
+
+ For each kernel installed, a line with value "" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ A key and certificate is required to sign the built modules.
+
+
+
+
+
+
+
+
+
+ Sign kernel modules with SHA-512
+ This configures the kernel to build and sign modules using SHA512 as the hash function.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_MODULE_SIG_SHA512, run the following command:
+ grep CONFIG_MODULE_SIG_SHA512 /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Use of strong hash function is important to secure the module against counterfeit signatures.
+
+
+
+
+
+
+
+
+ Enable poison without sanity check
+ Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some
+of the overhead of the poisoning feature.
+This configuration is available from kernel 4.6.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_PAGE_POISONING_NO_SANITY, run the following command:
+ grep CONFIG_PAGE_POISONING_NO_SANITY /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This configuration helps alleviates the performance impact of poisonining.
+
+
+
+
+
+
+
+
+ Use zero for poisoning instead of debugging value
+ Instead of using the existing poison value, fill the pages with zeros. This makes it harder to
+detect when errors are occurring due to sanitization but the zeroing at free means that it is
+no longer necessary to write zeros when GFP_ZERO is used on allocation.
+This configuration is available from kernel 4.19.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_PAGE_POISONING_ZERO, run the following command:
+ grep CONFIG_PAGE_POISONING_ZERO /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This configuration helps alleviates the performance impact of poisonining.
+
+
+
+
+
+
+
+
+ Remove the kernel mapping in user mode
+ This feature reduces the number of hardware side channels by ensuring that the majority of
+kernel addresses are not mapped into userspace.
+This configuration is available from kernel 4.15, but may be available if backported
+by distros.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_PAGE_TABLE_ISOLATION, run the following command:
+ grep CONFIG_PAGE_TABLE_ISOLATION /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This is a countermeasure to the Meltdown attack.
+
+
+
+
+
+
+
+
+ Kernel panic oops
+ Enable the kernel to panic when it oopses.
+This has the same effect as setting oops=panic on the kernel command line.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_PANIC_ON_OOPS, run the following command:
+ grep CONFIG_PANIC_ON_OOPS /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This feature ensures that the kernel does not do anything erroneous after an oops which
+could result in data corruption or other issues.
+
+
+
+
+
+
+
+
+ Kernel panic timeout
+ Set the timeout value (in seconds) until a reboot occurs when the kernel panics.
+A timeout of 0 configures the system to wait forever. With a timeout value greater than 0,
+the system will wait the specified amount of seconds before rebooting. While a timeout value
+less than 0 makes the system reboot immediately.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_PANIC_TIMEOUT, run the following command:
+ grep CONFIG_PANIC_TIMEOUT /boot/config-*
+
+ For each kernel installed, a line with value "" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This is required to enable protection against Spectre v2.
+
+
+
+
+
+
+
+
+
+ Disable support for /proc/kkcore
+ Provides a virtual ELF core file of the live kernel.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_PROC_KCORE, run the following command:
+ grep CONFIG_PROC_KCORE /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This feature exposes the memory to the userspace and can assist an attacker in discovering
+attack vectors.
+
+
+
+
+
+
+
+
+ Randomize the address of the kernel image (KASLR)
+ In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical
+address at which the kernel image is decompressed and the virtual address where the kernel
+image is mapped.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_RANDOMIZE_BASE, run the following command:
+ grep CONFIG_RANDOMIZE_BASE /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ An unpredictable kernel address makes it more difficult to succeed with exploits that rely on
+knowledge of the location of kernel code internals.
+
+
+
+
+
+
+
+
+ Randomize the kernel memory sections
+ Randomizes the base virtual address of kernel memory sections (physical memory mapping,
+vmalloc & vmemmap).
+This configuration is available from kernel 4.8, but may be available if backported
+by distros.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_RANDOMIZE_MEMORY, run the following command:
+ grep CONFIG_RANDOMIZE_MEMORY /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This security feature makes exploits relying on predictable memory locations less reliable.
+
+
+
+
+
+
+
+
+ Avoid speculative indirect branches in kernel
+ Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks
+by avoiding speculative indirect branches.
+Requires a compiler with -mindirect-branch=thunk-extern support for full protection.
+The kernel may run slower.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_RETPOLINE, run the following command:
+ grep CONFIG_RETPOLINE /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This is required to enable protection against Spectre v2.
+
+
+
+
+
+
+
+
+ Enable seccomp to safely compute untrusted bytecode
+ This kernel feature is useful for number crunching applications that may need to compute
+untrusted bytecode during their execution. By using pipes or other transports made available
+to the process as file descriptors supporting the read/write syscalls, it's possible to isolate
+those applications in their own address space using seccomp.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_SECCOMP, run the following command:
+ grep CONFIG_SECCOMP /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ seccomp enables the ability to filter system calls made by an application, effectively
+isolating the system's resources from it.
+
+
+
+
+
+
+
+
+ Enable use of Berkeley Packet Filter with seccomp
+ Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter
+programs which implement task-defined system call filtering polices.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_SECCOMP_FILTER, run the following command:
+ grep CONFIG_SECCOMP_FILTER /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Use of BPF filters allows for expressive filtering of system calls using a filter program
+language with a long history of being exposed to userland.
+
+
+
+
+
+
+
+
+ Enable different security models
+ This allows you to choose different security modules to be configured into your kernel.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_SECURITY, run the following command:
+ grep CONFIG_SECURITY /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This is enables kernel security primitives required by the LSM framework.
+
+
+
+
+
+
+
+
+ Restrict unprivileged access to the kernel syslog
+ Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8).
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_SECURITY_DMESG_RESTRICT, run the following command:
+ grep CONFIG_SECURITY_DMESG_RESTRICT /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Prevents unprivileged users from retrieving kernel addresses with dmesg.
+
+
+
+
+
+
+
+
+ Disable mutable hooks
+ Ensure kernel structures associated with LSMs are always mapped as read-only after system boot.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_SECURITY_WRITABLE_HOOKS, run the following command:
+ grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ If CONFIG_SECURITY_WRITABLE_HOOKS is enabled, then hooks can be loaded at runtime and
+being able to manipulate hooks is a way to bypass all LSMs.
+
+
+
+
+
+
+
+
+ Enable Yama support
+ This enables support for LSM module Yama, which extends DAC support with additional system-wide
+security settings beyond regular Linux discretionary access controls. The module will limit the
+use of the system call ptrace().
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_SECURITY_YAMA, run the following command:
+ grep CONFIG_SECURITY_YAMA /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ Unrestricted usage of ptrace allows compromised binaries to run ptrace
+on another processes of the user.
+
+
+
+
+
+
+
+
+ Enable SLUB debugging support
+ SLUB has extensive debug support features and this allows the allocator validation checking to
+be enabled.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_SLUB_DEBUG, run the following command:
+ grep CONFIG_SLUB_DEBUG /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This activates the checking of the memory allocator structures and resets to zero the zones
+allocated when they are released.
+
+
+
+
+
+
+
+
+ Enable TCP/IP syncookie support
+ Normal TCP/IP networking is open to an attack known as SYN flooding.
+It is denial-of-service attack that prevents legitimate remote users from being able to connect
+to your computer during an ongoing attack.
+
+When enabled the TCP/IP stack will use a cryptographic challenge protocol known as SYN cookies
+to enable legitimate users to continue to connect, even when your machine is under attack.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_SYN_COOKIES, run the following command:
+ grep CONFIG_SYN_COOKIES /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ SYN cookies provide protection against SYN flooding attacks.
+
+
+
+
+
+
+
+
+ Unmap kernel when running in userspace (aka KAISER)
+ Speculation attacks against some high-performance processors can be used to bypass MMU
+permission checks and leak kernel data to userspace. This can be defended against by unmapping
+the kernel when running in userspace, mapping it back in on exception entry via a trampoline
+page in the vector table.
+This configuration is available from kernel 4.16, but may be available if backported
+by distros.
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_UNMAP_KERNEL_AT_EL0, run the following command:
+ grep CONFIG_UNMAP_KERNEL_AT_EL0 /boot/config-*
+
+ For each kernel installed, a line with value "y" should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ This is a countermeasure to the Meltdown attack.
+
+
+
+
+
+
+
+
+
+ Disable x86 vsyscall emulation
+ Disabling it is roughly equivalent to booting with vsyscall=none, except that it will also
+disable the helpful warning if a program tries to use a vsyscall. With this option set to N,
+offending programs will just segfault, citing addresses of the form 0xffffffffff600?00.
+This configuration is available from kernel 3.19.
+
+The configuration that was used to build kernel is available at /boot/config-*.
+ To check the configuration value for CONFIG_X86_VSYSCALL_EMULATION, run the following command:
+ grep CONFIG_X86_VSYSCALL_EMULATION /boot/config-*
+
+ Configs with value 'n' are not explicitly set in the file, so either commented lines or no
+ lines should be returned.
+
+ There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.
+ The vsyscall table is no longer required and is a potential source of ROP gadgets.
+
+
+
+
+
+
+
+
+ Kernel GCC plugin configuration
+ Contains rules that check the configuration of GCC plugins used by the compiler
+
+
+
+
+ Configure Syslog
+ The syslog service has been the default Unix logging mechanism for
+many years. It has a number of downsides, including inconsistent log format,
+lack of authentication for received messages, and lack of authentication,
+encryption, or reliable transport for messages sent over a network. However,
+due to its long history, syslog is a de facto standard which is supported by
+almost all Unix applications.
+
+
+In Ubuntu 18.04, rsyslog has replaced ksyslogd as the
+syslog daemon of choice, and it includes some additional security features
+such as reliable, connection-oriented (i.e. TCP) transmission of logs, the
+option to log to database formats, and the encryption of log data en route to
+a central logging server.
+This section discusses how to configure rsyslog for
+best effect, and how to use tools provided with the system to maintain and
+monitor logs.
+
+
+ Ensure rsyslog is Installed
+ Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog
+ BP28(R5)
+ NT28(R46)
+ 1
+ 14
+ 15
+ 16
+ 3
+ 5
+ 6
+ APO11.04
+ BAI03.05
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-001311
+ CCI-001312
+ CCI-000366
+ 164.312(a)(2)(ii)
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ CM-6(a)
+ PR.PT-1
+ FTP_ITC_EXT.1.1
+ SRG-OS-000479-GPOS-00224
+ SRG-OS-000051-GPOS-00024
+ SRG-OS-000480-GPOS-00227
+ The rsyslog package provides the rsyslog daemon, which provides
+system logging services.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "rsyslog"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure rsyslog is installed
+ package:
+ name: rsyslog
+ state: present
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_rsyslog_installed
+
+ include install_rsyslog
+
+class install_rsyslog {
+ package { 'rsyslog':
+ ensure => 'installed',
+ }
+}
+
+
+[[packages]]
+name = "rsyslog"
+version = "*"
+
+
+
+
+
+
+
+
+
+ Enable rsyslog Service
+ The rsyslog service provides syslog-style logging by default on Ubuntu 18.04.
+
+The rsyslog service can be enabled with the following command:
+$ sudo systemctl enable rsyslog.service
+ BP28(R5)
+ NT28(R46)
+ 1
+ 12
+ 13
+ 14
+ 15
+ 16
+ 2
+ 3
+ 5
+ 6
+ 7
+ 8
+ 9
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO13.01
+ BAI03.05
+ BAI04.04
+ DSS01.03
+ DSS03.05
+ DSS05.02
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ CCI-001311
+ CCI-001312
+ CCI-001557
+ CCI-001851
+ CCI-000366
+ 164.312(a)(2)(ii)
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.2
+ A.12.1.3
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.17.2.1
+ CM-6(a)
+ AU-4(1)
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.DS-4
+ PR.PT-1
+ SRG-OS-000480-GPOS-00227
+ The rsyslog service must be running in order to provide
+logging services, which are essential to system administration.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'rsyslog.service'
+"$SYSTEMCTL_EXEC" start 'rsyslog.service'
+"$SYSTEMCTL_EXEC" enable 'rsyslog.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable service rsyslog
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Enable service rsyslog
+ service:
+ name: rsyslog
+ enabled: 'yes'
+ state: started
+ masked: 'no'
+ when:
+ - '"rsyslog" in ansible_facts.packages'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AU-4(1)
+ - NIST-800-53-CM-6(a)
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_rsyslog_enabled
+
+ include enable_rsyslog
+
+class enable_rsyslog {
+ service {'rsyslog':
+ enable => true,
+ ensure => 'running',
+ }
+}
+
+
+[customizations.services]
+enabled = ["rsyslog"]
+
+
+
+
+
+
+
+
+
+ Configure Logwatch on the Central Log Server
+ Is this system the central log server? If so, edit the file /etc/logwatch/conf/logwatch.conf as shown below.
+
+
+ Ensure Proper Configuration of Log Files
+ The file /etc/rsyslog.conf controls where log message are written.
+These are controlled by lines called rules, which consist of a
+selector and an action.
+These rules are often customized depending on the role of the system, the
+requirements of the environment, and whatever may enable
+the administrator to most effectively make use of log data.
+The default rules in Ubuntu 18.04 are:
+*.info;mail.none;authpriv.none;cron.none /var/log/messages
+authpriv.* /var/log/secure
+mail.* -/var/log/maillog
+cron.* /var/log/cron
+*.emerg *
+uucp,news.crit /var/log/spooler
+local7.* /var/log/boot.log
+See the man page rsyslog.conf(5) for more information.
+Note that the rsyslog daemon can be configured to use a timestamp format that
+some log processing programs may not understand. If this occurs,
+edit the file /etc/rsyslog.conf and add or edit the following line:
+$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+ group who owns log files
+ Specify group owner of all logfiles specified in
+/etc/rsyslog.conf.
+ root
+ adm
+ root
+
+
+ User who owns log files
+ Specify user owner of all logfiles specified in
+/etc/rsyslog.conf.
+ root
+ adm
+ root
+ syslog
+
+
+ Ensure Rsyslog Authenticates Off-Loaded Audit Records
+ Rsyslogd is a system utility providing support for message logging. Support
+for both internet and UNIX domain sockets enables this utility to support both local
+and remote logging. Couple this utility with gnutls (which is a secure communications
+library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
+encrypt and off-load auditing.
+
+When using rsyslogd to off-load logs the remote system must be authenticated.
+ CCI-001851
+ AU-4(1)
+ SRG-OS-000342-GPOS-00133
+ SRG-OS-000479-GPOS-00224
+ The audit records generated by Rsyslog contain valuable information regarding system
+configuration, user authentication, and other such information. Audit records should be
+protected from unauthorized access.
+
+
+
+
+
+
+
+
+ Ensure Rsyslog Encrypts Off-Loaded Audit Records
+ Rsyslogd is a system utility providing support for message logging. Support
+for both internet and UNIX domain sockets enables this utility to support both local
+and remote logging. Couple this utility with gnutls (which is a secure communications
+library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
+encrypt and off-load auditing.
+
+When using rsyslogd to off-load logs off a encrpytion system must be used.
+ CCI-001851
+ AU-4(1)
+ SRG-OS-000342-GPOS-00133
+ SRG-OS-000479-GPOS-00224
+ The audit records generated by Rsyslog contain valuable information regarding system
+configuration, user authentication, and other such information. Audit records should be
+protected from unauthorized access.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then
+
+ LC_ALL=C sed -i "/^\s*\$ActionSendStreamDriverMode /Id" "/etc/rsyslog.d/encrypt.conf"
+else
+ touch "/etc/rsyslog.d/encrypt.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/rsyslog.d/encrypt.conf"
+
+cp "/etc/rsyslog.d/encrypt.conf" "/etc/rsyslog.d/encrypt.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "\$ActionSendStreamDriverMode 1" >> "/etc/rsyslog.d/encrypt.conf"
+# Clean up after ourselves.
+rm "/etc/rsyslog.d/encrypt.conf.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure Rsyslog Encrypts Off-Loaded Audit Records
+ block:
+
+ - name: Deduplicate values from /etc/rsyslog.conf
+ lineinfile:
+ path: /etc/rsyslog.conf
+ create: false
+ regexp: '^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
+ state: absent
+
+ - name: Check if /etc/rsyslog.d exists
+ stat:
+ path: /etc/rsyslog.d
+ register: _etc_rsyslog_d_exists
+
+ - name: Check if the parameter $ActionSendStreamDriverMode is present in /etc/rsyslog.d
+ find:
+ paths: /etc/rsyslog.d
+ recurse: 'yes'
+ follow: 'no'
+ contains: '^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
+ register: _etc_rsyslog_d_has_parameter
+ when: _etc_rsyslog_d_exists.stat.isdir is defined and _etc_rsyslog_d_exists.stat.isdir
+
+ - name: Remove parameter from files in /etc/rsyslog.d
+ lineinfile:
+ path: '{{ item.path }}'
+ create: false
+ regexp: '^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
+ state: absent
+ with_items: '{{ _etc_rsyslog_d_has_parameter.files }}'
+ when: _etc_rsyslog_d_has_parameter.matched
+
+ - name: Insert correct line to /etc/rsyslog.conf
+ lineinfile:
+ path: /etc/rsyslog.conf
+ create: true
+ regexp: '^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
+ line: $ActionSendStreamDriverMode 1
+ state: present
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AU-4(1)
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - rsyslog_encrypt_offload_actionsendstreamdrivermode
+
+
+
+
+
+
+
+
+
+ Ensure Rsyslog Encrypts Off-Loaded Audit Records
+ Rsyslogd is a system utility providing support for message logging. Support
+for both internet and UNIX domain sockets enables this utility to support both local
+and remote logging. Couple this utility with gnutls (which is a secure communications
+library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
+encrypt and off-load auditing.
+
+When using rsyslogd to off-load logs off an encryption system must be used.
+ CCI-001851
+ AU-4(1)
+ SRG-OS-000342-GPOS-00133
+ SRG-OS-000479-GPOS-00224
+ The audit records generated by Rsyslog contain valuable information regarding system
+configuration, user authentication, and other such information. Audit records should be
+protected from unauthorized access.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/rsyslog.d/encrypt.conf" ] ; then
+
+ LC_ALL=C sed -i "/^\s*\$DefaultNetstreamDriver /Id" "/etc/rsyslog.d/encrypt.conf"
+else
+ touch "/etc/rsyslog.d/encrypt.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/rsyslog.d/encrypt.conf"
+
+cp "/etc/rsyslog.d/encrypt.conf" "/etc/rsyslog.d/encrypt.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "\$DefaultNetstreamDriver gtls" >> "/etc/rsyslog.d/encrypt.conf"
+# Clean up after ourselves.
+rm "/etc/rsyslog.d/encrypt.conf.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure Rsyslog Encrypts Off-Loaded Audit Records
+ block:
+
+ - name: Deduplicate values from /etc/rsyslog.conf
+ lineinfile:
+ path: /etc/rsyslog.conf
+ create: false
+ regexp: '^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
+ state: absent
+
+ - name: Check if /etc/rsyslog.d exists
+ stat:
+ path: /etc/rsyslog.d
+ register: _etc_rsyslog_d_exists
+
+ - name: Check if the parameter $DefaultNetstreamDriver is present in /etc/rsyslog.d
+ find:
+ paths: /etc/rsyslog.d
+ recurse: 'yes'
+ follow: 'no'
+ contains: '^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
+ register: _etc_rsyslog_d_has_parameter
+ when: _etc_rsyslog_d_exists.stat.isdir is defined and _etc_rsyslog_d_exists.stat.isdir
+
+ - name: Remove parameter from files in /etc/rsyslog.d
+ lineinfile:
+ path: '{{ item.path }}'
+ create: false
+ regexp: '^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
+ state: absent
+ with_items: '{{ _etc_rsyslog_d_has_parameter.files }}'
+ when: _etc_rsyslog_d_has_parameter.matched
+
+ - name: Insert correct line to /etc/rsyslog.conf
+ lineinfile:
+ path: /etc/rsyslog.conf
+ create: true
+ regexp: '^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
+ line: $DefaultNetstreamDriver gtls
+ state: present
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AU-4(1)
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - rsyslog_encrypt_offload_defaultnetstreamdriver
+
+
+
+
+
+
+
+
+
+ Ensure Log Files Are Owned By Appropriate Group
+ The group-owner of all log files written by
+rsyslog should be .
+These log files are determined by the second part of each Rule line in
+/etc/rsyslog.conf and typically all appear in /var/log.
+For each log file LOGFILE referenced in /etc/rsyslog.conf,
+run the following command to inspect the file's group owner:
+$ ls -l LOGFILE
+If the owner is not , run the following command to
+correct this:
+$ sudo chgrp LOGFILE
+ BP28(R46)
+ BP28(R5)
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-001314
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ 0988
+ 1405
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Req-10.5.1
+ Req-10.5.2
+ The log files generated by rsyslog contain valuable information regarding system
+configuration, user authentication, and other such information. Log files should be
+protected from unauthorized access.
+
+
+
+
+
+
+
+
+ Ensure Log Files Are Owned By Appropriate User
+ The owner of all log files written by
+rsyslog should be .
+These log files are determined by the second part of each Rule line in
+/etc/rsyslog.conf and typically all appear in /var/log.
+For each log file LOGFILE referenced in /etc/rsyslog.conf,
+run the following command to inspect the file's owner:
+$ ls -l LOGFILE
+If the owner is not , run the following command to
+correct this:
+$ sudo chown LOGFILE
+ BP28(R46)
+ BP28(R5)
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-001314
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ 0988
+ 1405
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Req-10.5.1
+ Req-10.5.2
+ The log files generated by rsyslog contain valuable information regarding system
+configuration, user authentication, and other such information. Log files should be
+protected from unauthorized access.
+
+
+
+
+
+
+
+
+ Ensure System Log Files Have Correct Permissions
+ The file permissions for all log files written by rsyslog should
+be set to 600, or more restrictive. These log files are determined by the
+second part of each Rule line in /etc/rsyslog.conf and typically
+all appear in /var/log. For each log file LOGFILE
+referenced in /etc/rsyslog.conf, run the following command to
+inspect the file's permissions:
+$ ls -l LOGFILE
+If the permissions are not 600 or more restrictive, run the following
+command to correct this:
+$ sudo chmod 0600 LOGFILE"
+ BP28(R36)
+ CCI-001314
+ 0988
+ 1405
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ Req-10.5.1
+ Req-10.5.2
+ Log files can contain valuable information regarding system
+configuration. If the system log files are not protected unauthorized
+users could change the logged data, eliminating their forensic value.
+
+
+
+
+
+
+
+
+
+ systemd-journald
+ systemd-journald is a system service that collects and stores
+logging data. It creates and maintains structured, indexed
+journals based on logging information that is received from a
+variety of sources.
+
+For more information on systemd-journald and additional systemd-journald configuration options, see
+https://systemd.io/.
+
+ Enable systemd-journald Service
+ The systemd-journald service is an essential component of
+systemd.
+
+The systemd-journald service can be enabled with the following command:
+$ sudo systemctl enable systemd-journald.service
+ CCI-001665
+ SC-24
+ SRG-OS-000269-GPOS-00103
+ In the event of a system failure, Ubuntu 18.04 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'systemd-journald.service'
+"$SYSTEMCTL_EXEC" start 'systemd-journald.service'
+"$SYSTEMCTL_EXEC" enable 'systemd-journald.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable service systemd-journald
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Enable service systemd-journald
+ service:
+ name: systemd-journald
+ enabled: 'yes'
+ state: started
+ masked: 'no'
+ when:
+ - '"systemd" in ansible_facts.packages'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-SC-24
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_systemd-journald_enabled
+
+ include enable_systemd-journald
+
+class enable_systemd-journald {
+ service {'systemd-journald':
+ enable => true,
+ ensure => 'running',
+ }
+}
+
+
+[customizations.services]
+enabled = ["systemd-journald"]
+
+
+
+
+
+
+
+
+
+
+ Ensure All Logs are Rotated by logrotate
+
+Edit the file /etc/logrotate.d/syslog. Find the first
+
+line, which should look like this (wrapped for clarity):
+/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \
+ /var/log/boot.log /var/log/cron {
+Edit this line so that it contains a one-space-separated
+listing of each log file referenced in /etc/rsyslog.conf.
+
+All logs in use on a system must be rotated regularly, or the
+log files will consume disk space over time, eventually interfering
+with system operation. The file /etc/logrotate.d/syslog is the
+configuration file used by the logrotate program to maintain all
+log files written by syslog. By default, it rotates logs weekly and
+stores four archival copies of each log. These settings can be
+modified by editing /etc/logrotate.conf, but the defaults are
+sufficient for purposes of this guide.
+
+Note that logrotate is run nightly by the cron job
+/etc/cron.daily/logrotate. If particularly active logs need to be
+rotated more often than once a day, some other mechanism must be
+used.
+
+ Ensure Logrotate Runs Periodically
+ The logrotate utility allows for the automatic rotation of
+log files. The frequency of rotation is specified in /etc/logrotate.conf,
+which triggers a cron task. To configure logrotate to run daily, add or correct
+the following line in /etc/logrotate.conf:
+# rotate log files frequency
+daily
+ BP28(R43)
+ NT12(R18)
+ 1
+ 14
+ 15
+ 16
+ 3
+ 5
+ 6
+ APO11.04
+ BAI03.05
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-000366
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ CM-6(a)
+ PR.PT-1
+ Req-10.7
+ Log files that are not properly rotated run the risk of growing so large
+that they fill up the /var/log partition. Valuable logging information could be lost
+if the /var/log partition becomes full.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
+# daily rotation is configured
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+ echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+ echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Configure daily log rotation in /etc/logrotate.conf
+ lineinfile:
+ create: true
+ dest: /etc/logrotate.conf
+ regexp: ^daily$
+ line: daily
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.7
+ - configure_strategy
+ - ensure_logrotate_activated
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf
+ lineinfile:
+ create: false
+ dest: /etc/logrotate.conf
+ regexp: ^[\s]*(weekly|monthly|yearly)$
+ state: absent
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.7
+ - configure_strategy
+ - ensure_logrotate_activated
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Configure cron.daily if not already
+ block:
+
+ - name: Add shebang
+ lineinfile:
+ path: /etc/cron.daily/logrotate
+ line: '#!/bin/sh'
+ insertbefore: BOF
+ create: true
+
+ - name: Add logrotate call
+ lineinfile:
+ path: /etc/cron.daily/logrotate
+ line: /usr/sbin/logrotate /etc/logrotate.conf
+ regexp: ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.7
+ - configure_strategy
+ - ensure_logrotate_activated
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+
+ Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
+ By default, rsyslog does not listen over the network
+for log messages. If needed, modules can be enabled to allow
+the rsyslog daemon to receive messages from other systems and for the system
+thus to act as a log server.
+If the system is not a log server, then lines concerning these modules
+should remain commented out.
+
+
+ Ensure syslog-ng is Installed
+ syslog-ng can be installed in replacement of rsyslog.
+The syslog-ng-core package can be installed with the following command:
+
+$ apt-get install syslog-ng-core
+ BP28(R46)
+ BP28(R5)
+ 1
+ 14
+ 15
+ 16
+ 3
+ 5
+ 6
+ APO11.04
+ BAI03.05
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-001311
+ CCI-001312
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ CM-6(a)
+ PR.PT-1
+ The syslog-ng-core package provides the syslog-ng daemon, which provides
+system logging services.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "syslog-ng"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure syslog-ng is installed
+ package:
+ name: syslog-ng
+ state: present
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_syslogng_installed
+
+ include install_syslog-ng
+
+class install_syslog-ng {
+ package { 'syslog-ng':
+ ensure => 'installed',
+ }
+}
+
+
+[[packages]]
+name = "syslog-ng"
+version = "*"
+
+
+
+
+
+
+
+
+
+ Enable syslog-ng Service
+ The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
+
+The syslog-ng service can be enabled with the following command:
+$ sudo systemctl enable syslog-ng.service
+ BP28(R46)
+ BP28(R5)
+ 1
+ 12
+ 13
+ 14
+ 15
+ 16
+ 2
+ 3
+ 5
+ 6
+ 7
+ 8
+ 9
+ APO10.01
+ APO10.03
+ APO10.04
+ APO10.05
+ APO11.04
+ APO13.01
+ BAI03.05
+ BAI04.04
+ DSS01.03
+ DSS03.05
+ DSS05.02
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ MEA01.01
+ MEA01.02
+ MEA01.03
+ MEA01.04
+ MEA01.05
+ MEA02.01
+ CCI-001311
+ CCI-001312
+ CCI-001557
+ CCI-001851
+ 4.3.2.6.7
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 6.1
+ SR 6.2
+ SR 7.1
+ SR 7.2
+ A.12.1.3
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.14.2.7
+ A.15.2.1
+ A.15.2.2
+ A.17.2.1
+ CM-6(a)
+ AU-4(1)
+ DE.CM-1
+ DE.CM-3
+ DE.CM-7
+ ID.SC-4
+ PR.DS-4
+ PR.PT-1
+ The syslog-ng service must be running in order to provide
+logging services, which are essential to system administration.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'syslog-ng.service'
+"$SYSTEMCTL_EXEC" start 'syslog-ng.service'
+"$SYSTEMCTL_EXEC" enable 'syslog-ng.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable service syslog-ng
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Enable service syslog-ng
+ service:
+ name: syslog-ng
+ enabled: 'yes'
+ state: started
+ masked: 'no'
+ when:
+ - '"syslog-ng" in ansible_facts.packages'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AU-4(1)
+ - NIST-800-53-CM-6(a)
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_syslogng_enabled
+
+ include enable_syslog-ng
+
+class enable_syslog-ng {
+ service {'syslog-ng':
+ enable => true,
+ ensure => 'running',
+ }
+}
+
+
+[customizations.services]
+enabled = ["syslog-ng"]
+
+
+
+
+
+
+
+
+
+ Enable rsyslog to Accept Messages via TCP, if Acting As Log Server
+ The rsyslog daemon should not accept remote messages
+unless the system acts as a log server.
+If the system needs to act as a central log server, add the following lines to
+/etc/rsyslog.conf to enable reception of messages over TCP:
+$ModLoad imtcp
+$InputTCPServerRun 514
+ 1
+ 14
+ 15
+ 16
+ 3
+ 5
+ 6
+ APO11.04
+ BAI03.05
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ CIP-004-6 R2.2.2
+ CIP-004-6 R3.3
+ CIP-007-3 R.1.3
+ CIP-007-3 R5
+ CIP-007-3 R5.1.1
+ CIP-007-3 R6.5
+ CM-6(a)
+ AU-6(3)
+ AU-6(4)
+ PR.PT-1
+ If the system needs to act as a log server, this ensures that it can receive
+messages over a reliable TCP connection.
+
+
+ Enable rsyslog to Accept Messages via UDP, if Acting As Log Server
+ The rsyslog daemon should not accept remote messages
+unless the system acts as a log server.
+If the system needs to act as a central log server, add the following lines to
+/etc/rsyslog.conf to enable reception of messages over UDP:
+$ModLoad imudp
+$UDPServerRun 514
+ 1
+ 14
+ 15
+ 16
+ 3
+ 5
+ 6
+ APO11.04
+ BAI03.05
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ CIP-004-6 R2.2.2
+ CIP-004-6 R3.3
+ CIP-007-3 R.1.3
+ CIP-007-3 R5
+ CIP-007-3 R5.1.1
+ CIP-007-3 R6.5
+ CM-6(a)
+ AU-6(3)
+ AU-6(4)
+ PR.PT-1
+ Many devices, such as switches, routers, and other Unix-like systems, may only support
+the traditional syslog transmission over UDP. If the system must act as a log server,
+this enables it to receive their messages as well.
+
+
+
+ Rsyslog Logs Sent To Remote Host
+ If system logs are to be useful in detecting malicious
+activities, it is necessary to send logs to a remote server. An
+intruder who has compromised the root account on a system may
+delete the log entries which indicate that the system was attacked
+before they are seen by an administrator.
+
+However, it is recommended that logs be stored on the local
+host in addition to being sent to the loghost, especially if
+rsyslog has been configured to use the UDP protocol to send
+messages over a network. UDP does not guarantee reliable delivery,
+and moderately busy sites will lose log messages occasionally,
+especially in periods of high traffic which may be the result of an
+attack. In addition, remote rsyslog messages are not
+authenticated in any way by default, so it is easy for an attacker to
+introduce spurious messages to the central log server. Also, some
+problems cause loss of network connectivity, which will prevent the
+sending of messages to the central server. For all of these reasons, it is
+better to store log messages both centrally and on each host, so
+that they can be correlated if necessary.
+
+ Remote Log Server
+ Specify an URI or IP address of a remote host where the log messages will be sent and stored.
+ logcollector
+
+
+ Ensure Logs Sent To Remote Host
+ To configure rsyslog to send logs to a remote log server,
+open /etc/rsyslog.conf and read and understand the last section of the file,
+which describes the multiple directives necessary to activate remote
+logging.
+Along with these other directives, the system can be configured
+to forward its logs to a particular log server by
+adding or correcting one of the following lines,
+substituting appropriately.
+The choice of protocol depends on the environment of the system;
+although TCP and RELP provide more reliable message delivery,
+they may not be supported in all environments.
+
+To use UDP for log message delivery:
+*.* @
+
+To use TCP for log message delivery:
+*.* @@
+
+To use RELP for log message delivery:
+*.* :omrelp:
+
+There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility.
+ It is important to configure queues in case the client is sending log
+messages to a remote server. If queues are not configured,
+the system will stop functioning when the connection
+to the remote server is not available. Please consult Rsyslog
+documentation for more information about configuration of queues. The
+example configuration which should go into /etc/rsyslog.conf
+can look like the following lines:
+
+$ActionQueueType LinkedList
+$ActionQueueFileName queuefilename
+$ActionQueueMaxDiskSpace 1g
+$ActionQueueSaveOnShutdown on
+$ActionResumeRetryCount -1
+
+ BP28(R7)
+ NT28(R43)
+ NT12(R5)
+ 1
+ 13
+ 14
+ 15
+ 16
+ 2
+ 3
+ 5
+ 6
+ APO11.04
+ APO13.01
+ BAI03.05
+ BAI04.04
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-000366
+ CCI-001348
+ CCI-000136
+ CCI-001851
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(5)(ii)(B)
+ 164.308(a)(5)(ii)(C)
+ 164.308(a)(6)(ii)
+ 164.308(a)(8)
+ 164.310(d)(2)(iii)
+ 164.312(b)
+ 164.314(a)(2)(i)(C)
+ 164.314(a)(2)(iii)
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ SR 7.1
+ SR 7.2
+ 0988
+ 1405
+ A.12.1.3
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.17.2.1
+ CIP-003-8 R5.2
+ CIP-004-6 R3.3
+ CM-6(a)
+ AU-4(1)
+ AU-9(2)
+ PR.DS-4
+ PR.PT-1
+ FAU_GEN.1.1.c
+ SRG-OS-000479-GPOS-00224
+ SRG-OS-000480-GPOS-00227
+ SRG-OS-000342-GPOS-00133
+ SRG-OS-000032-VMM-000130
+ A log server (loghost) receives syslog messages from one or more
+systems. This data can be used as an additional log source in the event a
+system is compromised and its local logs are suspect. Forwarding log messages
+to a remote loghost also provides system administrators with a centralized
+place to view the status of multiple hosts within the enterprise.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+rsyslog_remote_loghost_address=''
+
+
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/rsyslog.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^\*\.\*")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s %s" "$stripped_key" "@@$rsyslog_remote_loghost_address"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^\*\.\*\\>" "/etc/rsyslog.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^\*\.\*\\>.*/$escaped_formatted_output/gi" "/etc/rsyslog.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/rsyslog.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+
+ Network Configuration and Firewalls
+ Most systems must be connected to a network of some
+sort, and this brings with it the substantial risk of network
+attack. This section discusses the security impact of decisions
+about networking which must be made when configuring a system.
+
+This section also discusses firewalls, network access
+controls, and other network security frameworks, which allow
+system-level rules to be written that can limit an attackers' ability
+to connect to your system. These rules can specify that network
+traffic should be allowed or denied from certain IP addresses,
+hosts, and networks. The rules can also specify which of the
+system's network services are available to particular hosts or
+networks.
+
+ firewalld
+ The dynamic firewall daemon firewalld provides a
+dynamically managed firewall with support for network “zones” to assign
+a level of trust to a network and its associated connections and interfaces.
+It has support for IPv4 and IPv6 firewall settings. It supports Ethernet
+bridges and has a separation of runtime and permanent configuration options.
+It also has an interface for services or applications to add firewall rules
+directly.
+
+A graphical configuration tool, firewall-config, is used to configure
+firewalld, which in turn uses iptables tool to communicate
+with Netfilter in the kernel which implements packet filtering.
+
+The firewall service provided by firewalld is dynamic rather than
+static because changes to the configuration can be made at anytime and are
+immediately implemented. There is no need to save or apply the changes. No
+unintended disruption of existing network connections occurs as no part of
+the firewall has to be reloaded.
+
+
+ Inspect and Activate Default firewalld Rules
+ Firewalls can be used to separate networks into different zones
+based on the level of trust the user has decided to place on the devices and
+traffic within that network. NetworkManager informs firewalld to which
+zone an interface belongs. An interface's assigned zone can be changed by
+NetworkManager or via the firewall-config tool.
+
+The zone settings in /etc/firewalld/ are a range of preset settings
+which can be quickly applied to a network interface. These are the zones
+provided by firewalld sorted according to the default trust level of the
+zones from untrusted to trusted:
+dropAny incoming network packets are dropped, there is no
+reply. Only outgoing network connections are possible.blockAny incoming network connections are rejected with an
+icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited
+for IPv6. Only network connections initiated from within the system are
+possible.publicFor use in public areas. You do not trust the other
+computers on the network to not harm your computer. Only selected incoming
+connections are accepted.externalFor use on external networks with masquerading enabled
+especially for routers. You do not trust the other computers on the network to
+not harm your computer. Only selected incoming connections are accepted.dmzFor computers in your demilitarized zone that are
+publicly-accessible with limited access to your internal network. Only selected
+incoming connections are accepted.workFor use in work areas. You mostly trust the other computers
+on networks to not harm your computer. Only selected incoming connections are
+accepted.homeFor use in home areas. You mostly trust the other computers
+on networks to not harm your computer. Only selected incoming connections are
+accepted.internalFor use on internal networks. You mostly trust the
+other computers on the networks to not harm your computer. Only selected
+incoming connections are accepted.trustedAll network connections are accepted.
+
+It is possible to designate one of these zones to be the default zone. When
+interface connections are added to NetworkManager, they are assigned
+to the default zone. On installation, the default zone in firewalld is set to
+be the public zone.
+
+To find out all the settings of a zone, for example the public zone,
+enter the following command as root:
+# firewall-cmd --zone=public --list-all
+Example output of this command might look like the following:
+
+# firewall-cmd --zone=public --list-all
+public
+ interfaces:
+ services: mdns dhcpv6-client ssh
+ ports:
+ forward-ports:
+ icmp-blocks: source-quench
+
+To view the network zones currently active, enter the following command as root:
+# firewall-cmd --get-service
+The following listing displays the result of this command
+on common Ubuntu 18.04 system:
+
+# firewall-cmd --get-service
+amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp
+high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd
+ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn
+pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind
+samba samba-client smtp ssh telnet tftp tftp-client transmission-client
+vnc-server wbem-https
+
+Finally to view the network zones that will be active after the next firewalld
+service reload, enter the following command as root:
+# firewall-cmd --get-service --permanent
+
+
+ Strengthen the Default Ruleset
+ The default rules can be strengthened. The system
+scripts that activate the firewall rules expect them to be defined
+in configuration files under the /etc/firewalld/services
+and /etc/firewalld/zones directories.
+
+The following recommendations describe how to strengthen the
+default ruleset configuration file. An alternative to editing this
+configuration file is to create a shell script that makes calls to
+the firewall-cmd program to load in rules under the /etc/firewalld/services
+and /etc/firewalld/zones directories.
+
+Instructions apply to both unless otherwise noted. Language and address
+conventions for regular firewalld rules are used throughout this section.
+ The program firewall-config
+allows additional services to penetrate the default firewall rules
+and automatically adjusts the firewalld ruleset(s).
+
+
+
+ IPSec Support
+ Support for Internet Protocol Security (IPsec)
+is provided with Libreswan.
+
+
+ iptables and ip6tables
+ A host-based firewall called netfilter is included as
+part of the Linux kernel distributed with the system. It is
+activated by default. This firewall is controlled by the program
+iptables, and the entire capability is frequently referred to by
+this name. An analogous program called ip6tables handles filtering
+for IPv6.
+
+Unlike TCP Wrappers, which depends on the network server
+program to support and respect the rules written, netfilter
+filtering occurs at the kernel level, before a program can even
+process the data from the network packet. As such, any program on
+the system is affected by the rules written.
+
+This section provides basic information about strengthening
+the iptables and ip6tables configurations included with the system.
+For more complete information that may allow the construction of a
+sophisticated ruleset tailored to your environment, please consult
+the references at the end of this section.
+
+ Inspect and Activate Default Rules
+ View the currently-enforced iptables rules by running
+the command:
+$ sudo iptables -nL --line-numbers
+The command is analogous for ip6tables.
+
+If the firewall does not appear to be active (i.e., no rules
+appear), activate it and ensure that it starts at boot by issuing
+the following commands (and analogously for ip6tables):
+$ sudo service iptables restart
+The default iptables rules are:
+Chain INPUT (policy ACCEPT)
+num target prot opt source destination
+1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
+2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
+3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
+5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
+
+Chain FORWARD (policy ACCEPT)
+num target prot opt source destination
+1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
+
+Chain OUTPUT (policy ACCEPT)
+num target prot opt source destination
+The ip6tables default rules are essentially the same.
+
+ Verify ip6tables Enabled if Using IPv6
+
+The ip6tables service can be enabled with the following command:
+$ sudo systemctl enable ip6tables.service
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 4
+ 6
+ 8
+ 9
+ APO01.06
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS01.05
+ DSS03.01
+ DSS05.02
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS06.02
+ DSS06.06
+ 4.2.3.4
+ 4.3.3.4
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ 4.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 7.1
+ SR 7.6
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.12.1.1
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.13.1.1
+ A.13.1.2
+ A.13.1.3
+ A.13.2.1
+ A.13.2.2
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R4
+ CIP-003-8 R5
+ CIP-004-6 R3
+ AC-4
+ CM-7(b)
+ CA-3(5)
+ SC-7(21)
+ CM-6(a)
+ DE.AE-1
+ ID.AM-3
+ PR.AC-5
+ PR.DS-5
+ PR.IP-1
+ PR.PT-3
+ PR.PT-4
+ The ip6tables service provides the system's host-based firewalling
+capability for IPv6 and ICMPv6.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'ip6tables.service'
+"$SYSTEMCTL_EXEC" start 'ip6tables.service'
+"$SYSTEMCTL_EXEC" enable 'ip6tables.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable service ip6tables
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Enable service ip6tables
+ service:
+ name: ip6tables
+ enabled: 'yes'
+ state: started
+ masked: 'no'
+ when:
+ - '"iptables-ipv6" in ansible_facts.packages'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-4
+ - NIST-800-53-CA-3(5)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-SC-7(21)
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_ip6tables_enabled
+
+ include enable_ip6tables
+
+class enable_ip6tables {
+ service {'ip6tables':
+ enable => true,
+ ensure => 'running',
+ }
+}
+
+
+[customizations.services]
+enabled = ["ip6tables"]
+
+
+
+
+
+
+
+
+
+ Verify iptables Enabled
+
+The iptables service can be enabled with the following command:
+$ sudo systemctl enable iptables.service
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 4
+ 6
+ 8
+ 9
+ APO01.06
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS01.05
+ DSS03.01
+ DSS05.02
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS06.02
+ DSS06.06
+ 4.2.3.4
+ 4.3.3.4
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ 4.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 7.1
+ SR 7.6
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.12.1.1
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.13.1.1
+ A.13.1.2
+ A.13.1.3
+ A.13.2.1
+ A.13.2.2
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R4
+ CIP-003-8 R5
+ CIP-004-6 R3
+ AC-4
+ CM-7(b)
+ CA-3(5)
+ SC-7(21)
+ CM-6(a)
+ DE.AE-1
+ ID.AM-3
+ PR.AC-5
+ PR.DS-5
+ PR.IP-1
+ PR.PT-3
+ PR.PT-4
+ The iptables service provides the system's host-based firewalling
+capability for IPv4 and ICMP.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'iptables.service'
+"$SYSTEMCTL_EXEC" start 'iptables.service'
+"$SYSTEMCTL_EXEC" enable 'iptables.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable service iptables
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Enable service iptables
+ service:
+ name: iptables
+ enabled: 'yes'
+ state: started
+ masked: 'no'
+ when:
+ - '"iptables" in ansible_facts.packages'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-4
+ - NIST-800-53-CA-3(5)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-SC-7(21)
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_iptables_enabled
+
+ include enable_iptables
+
+class enable_iptables {
+ service {'iptables':
+ enable => true,
+ ensure => 'running',
+ }
+}
+
+
+[customizations.services]
+enabled = ["iptables"]
+
+
+
+
+
+
+
+
+
+ Set Default ip6tables Policy for Incoming Packets
+ To set the default policy to DROP (instead of ACCEPT) for
+the built-in INPUT chain which processes incoming packets,
+add or correct the following line in
+/etc/sysconfig/ip6tables:
+:INPUT DROP [0:0]
+If changes were required, reload the ip6tables rules:
+$ sudo service ip6tables reload
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CIP-003-8 R4
+ CIP-003-8 R5
+ CIP-004-6 R3
+ AC-4
+ CM-7(b)
+ CA-3(5)
+ SC-7(21)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ Req-1.4.1
+ In ip6tables, the default policy is applied only after all
+the applicable rules in the table are examined for a match. Setting the
+default policy to DROP implements proper design for a firewall, i.e.
+any packets which are not explicitly permitted should not be
+accepted.
+ sed -i 's/^:INPUT ACCEPT.*/:INPUT DROP [0:0]/g' /etc/sysconfig/ip6tables
+
+
+
+
+
+
+ Set configuration for IPv6 loopback traffic
+ Configure the loopback interface to accept traffic.
+Configure all other interfaces to deny traffic to the loopback
+network.
+ Changing firewall settings while connected over network can
+result in being locked out of the system.
+ Req-1.4.1
+ Loopback traffic is generated between processes on machine and is
+typically critical to operation of the system. The loopback interface
+is the only place that loopback network traffic should be seen,
+all other interfaces should ignore traffic on this network as an
+anti-spoofing measure.
+
+
+
+
+
+ Set configuration for loopback traffic
+ Configure the loopback interface to accept traffic.
+Configure all other interfaces to deny traffic to the loopback
+network.
+ Changing firewall settings while connected over network can
+result in being locked out of the system.
+ Req-1.4.1
+ Loopback traffic is generated between processes on machine and is
+typically critical to operation of the system. The loopback interface
+is the only place that loopback network traffic should be seen, all
+other interfaces should ignore traffic on this network as an
+anti-spoofing measure.
+
+
+
+
+
+
+ Strengthen the Default Ruleset
+ The default rules can be strengthened. The system
+scripts that activate the firewall rules expect them to be defined
+in the configuration files iptables and ip6tables in the directory
+/etc/sysconfig. Many of the lines in these files are similar
+to the command line arguments that would be provided to the programs
+/sbin/iptables or /sbin/ip6tables - but some are quite
+different.
+
+The following recommendations describe how to strengthen the
+default ruleset configuration file. An alternative to editing this
+configuration file is to create a shell script that makes calls to
+the iptables program to load in rules, and then invokes service
+iptables save to write those loaded rules to
+/etc/sysconfig/iptables.
+
+The following alterations can be made directly to
+/etc/sysconfig/iptables and /etc/sysconfig/ip6tables.
+Instructions apply to both unless otherwise noted. Language and address
+conventions for regular iptables are used throughout this section;
+configuration for ip6tables will be either analogous or explicitly
+covered.
+ The program system-config-securitylevel
+allows additional services to penetrate the default firewall rules
+and automatically adjusts /etc/sysconfig/iptables. This program
+is only useful if the default ruleset meets your security
+requirements. Otherwise, this program should not be used to make
+changes to the firewall configuration because it re-writes the
+saved configuration file.
+
+ Set Default iptables Policy for Incoming Packets
+ To set the default policy to DROP (instead of ACCEPT) for
+the built-in INPUT chain which processes incoming packets,
+add or correct the following line in
+/etc/sysconfig/iptables:
+:INPUT DROP [0:0]
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CA-3(5)
+ CM-7(b)
+ SC-7(23)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ In iptables the default policy is applied only after all
+the applicable rules in the table are examined for a match. Setting the
+default policy to DROP implements proper design for a firewall, i.e.
+any packets which are not explicitly permitted should not be
+accepted.
+ sed -i 's/^:INPUT ACCEPT.*/:INPUT DROP [0:0]/g' /etc/sysconfig/iptables
+
+
+
+
+
+
+ Set Default iptables Policy for Forwarded Packets
+ To set the default policy to DROP (instead of ACCEPT) for
+the built-in FORWARD chain which processes packets that will be forwarded from
+one interface to another,
+add or correct the following line in
+/etc/sysconfig/iptables:
+:FORWARD DROP [0:0]
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CA-3(5)
+ CM-7(b)
+ SC-7(23)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ In iptables, the default policy is applied only after all
+the applicable rules in the table are examined for a match. Setting the
+default policy to DROP implements proper design for a firewall, i.e.
+any packets which are not explicitly permitted should not be
+accepted.
+ sed -i 's/^:FORWARD ACCEPT.*/:FORWARD DROP [0:0]/g' /etc/sysconfig/iptables
+
+
+
+
+
+
+ Restrict ICMP Message Types
+ In /etc/sysconfig/iptables, the accepted ICMP messages
+types can be restricted. To accept only ICMP echo reply, destination
+unreachable, and time exceeded messages, remove the line:
+-A INPUT -p icmp --icmp-type any -j ACCEPT
+and insert the lines:
+-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+To allow the system to respond to pings, also insert the following line:
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+Ping responses can also be limited to certain networks or hosts by using the -s
+option in the previous rule. Because IPv6 depends so heavily on ICMPv6, it is
+preferable to deny the ICMPv6 packets you know you don't need (e.g. ping
+requests) in /etc/sysconfig/ip6tables, while letting everything else
+through:
+-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
+If you are going to statically configure the system's address, it should
+ignore Router Advertisements which could add another IPv6 address to the
+interface or alter important network settings:
+-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
+Restricting ICMPv6 message types in /etc/sysconfig/ip6tables is not
+recommended because the operation of IPv6 depends heavily on ICMPv6. Thus, great
+care must be taken if any other ICMPv6 types are blocked.
+
+
+ Log and Drop Packets with Suspicious Source Addresses
+ Packets with non-routable source addresses should be rejected, as they may indicate spoofing. Because the
+modified policy will reject non-matching packets, you only need to add these rules if you are interested in also
+logging these spoofing or suspicious attempts before they are dropped. If you do choose to log various suspicious
+traffic, add identical rules with a target of DROP after each LOG.
+To log and then drop these IPv4 packets, insert the following rules in /etc/sysconfig/iptables (excepting
+any that are intentionally used):
+-A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: "
+-A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
+-A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
+-A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
+-A INPUT -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
+-A INPUT -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "
+Similarly, you might wish to log packets containing some IPv6 reserved addresses if they are not expected
+on your network:
+-A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP LOOPBACK: "
+-A INPUT -s 2002:E000::/20 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
+-A INPUT -s 2002:7F00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
+-A INPUT -s 2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
+-A INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
+-A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
+-A INPUT -s 2002:AC10::/28 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
+-A INPUT -s 2002:C0A8::/32 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
+If you are not expecting to see site-local multicast or auto-tunneled traffic, you can log those:
+-A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL MULTICAST: "
+-A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix "IPv4 COMPATIBLE IPv6 ADDR: "
+If you wish to block multicasts to all link-local nodes (e.g. if you are not using router auto-configuration and
+do not plan to have any services that multicast to the entire local network), you can block the link-local
+all-nodes multicast address (before accepting incoming ICMPv6):
+-A INPUT -d FF02::1 -j LOG --log-prefix "Link-local All-Nodes Multicast: "
+However, if you're going to allow IPv4 compatible IPv6 addresses (of the form ::0.0.0.0/96), you should
+then consider logging the non-routable IPv4-compatible addresses:
+-A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP NON-ROUTABLE ADDR: "
+-A INPUT -s ::127.0.0.0/104 -j LOG --log-prefix "IP DROP LOOPBACK: "
+-A INPUT -s ::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: "
+-A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP BROADCAST: "
+If you are not expecting to see any IPv4 (or IPv4-compatible) traffic on your network, consider logging it before it gets dropped:
+-A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4 MAPPED IPv6 ADDR: "
+-A INPUT -s 2002::/16 -j LOG --log-prefix "IPv6 6to4 ADDR: "
+The following rule will log all traffic originating from a site-local address, which is deprecated address space:
+-A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL ADDRESS TRAFFIC: "
+
+
+
+
+ IPv6
+ The system includes support for Internet Protocol
+version 6. A major and often-mentioned improvement over IPv4 is its
+enormous increase in the number of available addresses. Another
+important feature is its support for automatic configuration of
+many network settings.
+
+ Disable Support for IPv6 Unless Needed
+ Despite configuration that suggests support for IPv6 has
+been disabled, link-local IPv6 address auto-configuration occurs
+even when only an IPv4 address is assigned. The only way to
+effectively prevent execution of the IPv6 networking stack is to
+instruct the system not to activate the IPv6 kernel module.
+
+ Disable IPv6 Networking Support Automatic Loading
+ To prevent the IPv6 kernel module (ipv6) from binding to the
+IPv6 networking stack, add the following line to
+/etc/modprobe.d/disabled.conf (or another file in
+/etc/modprobe.d):
+options ipv6 disable=1
+This permits the IPv6 module to be loaded (and thus satisfy other modules that
+depend on it), while disabling support for the IPv6 protocol.
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
+the vulnerability to exploitation.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack
+echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf
+
+# Since according to: https://access.redhat.com/solutions/72733
+# "ipv6 disable=1" options doesn't always disable the IPv6 networking stack from
+# loading, instruct also sysctl configuration to disable IPv6 according to:
+# https://access.redhat.com/solutions/8709#rhel6disable
+
+declare -a IPV6_SETTINGS=("net.ipv6.conf.all.disable_ipv6" "net.ipv6.conf.default.disable_ipv6")
+
+for setting in "${IPV6_SETTINGS[@]}"
+do
+ # Set runtime =1 for setting
+ /sbin/sysctl -q -n -w "$setting=1"
+
+ # If setting is present in /etc/sysctl.conf, change value to "1"
+ # else, add "$setting = 1" to /etc/sysctl.conf
+ if grep -q ^"$setting" /etc/sysctl.conf ; then
+ sed -i "s/^$setting.*/$setting = 1/g" /etc/sysctl.conf
+ else
+ echo "" >> /etc/sysctl.conf
+ echo "# Set $setting = 1 per security requirements" >> /etc/sysctl.conf
+ echo "$setting = 1" >> /etc/sysctl.conf
+ fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable IPv6 Networking kernel module
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/ipv6.conf
+ regexp: ^options\s+ipv6\s+disable=\d
+ line: options ipv6 disable=1
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_ipv6_option_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Ensure disable_ipv6 (all and default) is set to 1
+ sysctl:
+ name: '{{ item }}'
+ value: '1'
+ state: present
+ reload: true
+ with_items:
+ - net.ipv6.conf.all.disable_ipv6
+ - net.ipv6.conf.default.disable_ipv6
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_ipv6_option_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+
+
+
+
+
+
+
+
+ Disable IPv6 Addressing on All IPv6 Interfaces
+ To disable support for (ipv6) addressing on all interface add the following line to
+/etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d):
+net.ipv6.conf.all.disable_ipv6 = 1
+This disables IPv6 on all network interfaces as other services and system
+functionality require the IPv6 stack loaded to work.
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 3.1.20
+ CCI-001551
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
+the vulnerability to exploitation.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of net.ipv6.conf.all.disable_ipv6 from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.all.disable_ipv6.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "net.ipv6.conf.all.disable_ipv6" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+
+#
+# Set runtime for net.ipv6.conf.all.disable_ipv6
+#
+/sbin/sysctl -q -n -w net.ipv6.conf.all.disable_ipv6="1"
+
+#
+# If net.ipv6.conf.all.disable_ipv6 present in /etc/sysctl.conf, change value to "1"
+# else, add "net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.disable_ipv6")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.disable_ipv6\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^net.ipv6.conf.all.disable_ipv6\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*net.ipv6.conf.all.disable_ipv6.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.20
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_disable_ipv6
+
+- name: Comment out any occurrences of net.ipv6.conf.all.disable_ipv6 from config
+ files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*net.ipv6.conf.all.disable_ipv6
+ replace: '#net.ipv6.conf.all.disable_ipv6'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.20
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_disable_ipv6
+
+- name: Ensure sysctl net.ipv6.conf.all.disable_ipv6 is set to 1
+ sysctl:
+ name: net.ipv6.conf.all.disable_ipv6
+ value: '1'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.20
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv6_conf_all_disable_ipv6
+
+
+
+
+
+
+
+
+
+ Disable IPv6 Addressing on IPv6 Interfaces by Default
+ To disable support for (ipv6) addressing on interfaces by default add the following line to
+/etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d):
+net.ipv6.conf.default.disable_ipv6 = 1
+This disables IPv6 on network interfaces by default as other services and system
+functionality require the IPv6 stack loaded to work.
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 3.1.20
+ CCI-001551
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
+the vulnerability to exploitation.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of net.ipv6.conf.default.disable_ipv6 from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.disable_ipv6.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "net.ipv6.conf.default.disable_ipv6" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+
+#
+# Set runtime for net.ipv6.conf.default.disable_ipv6
+#
+/sbin/sysctl -q -n -w net.ipv6.conf.default.disable_ipv6="1"
+
+#
+# If net.ipv6.conf.default.disable_ipv6 present in /etc/sysctl.conf, change value to "1"
+# else, add "net.ipv6.conf.default.disable_ipv6 = 1" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.disable_ipv6")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.disable_ipv6\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^net.ipv6.conf.default.disable_ipv6\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*net.ipv6.conf.default.disable_ipv6.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.20
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv6_conf_default_disable_ipv6
+
+- name: Comment out any occurrences of net.ipv6.conf.default.disable_ipv6 from config
+ files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*net.ipv6.conf.default.disable_ipv6
+ replace: '#net.ipv6.conf.default.disable_ipv6'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.20
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv6_conf_default_disable_ipv6
+
+- name: Ensure sysctl net.ipv6.conf.default.disable_ipv6 is set to 1
+ sysctl:
+ name: net.ipv6.conf.default.disable_ipv6
+ value: '1'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.20
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv6_conf_default_disable_ipv6
+
+
+
+
+
+
+
+
+
+
+ Configure IPv6 Settings if Necessary
+ A major feature of IPv6 is the extent to which systems
+implementing it can automatically configure their networking
+devices using information from the network. From a security
+perspective, manually configuring important configuration
+information is preferable to accepting it from the network
+in an unauthenticated fashion.
+
+ IPV6_AUTOCONF
+ Toggle global IPv6 auto-configuration (only, if global
+forwarding is disabled)
+ no
+ no
+ yes
+
+
+ net.ipv6.conf.all.accept_ra_defrtr
+ Accept default router in router advertisements?
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.all.accept_ra_pinfo
+ Accept prefix information in router advertisements?
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.all.accept_ra_rtr_pref
+ Accept router preference in router advertisements?
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.all.accept_ra
+ Accept all router advertisements?
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.all.accept_redirects
+ Toggle ICMP Redirect Acceptance
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.all.accept_source_route
+ Trackers could be using source-routed packets to
+generate traffic that seems to be intra-net, but actually was
+created outside and has been redirected.
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.all.autoconf
+ Enable auto configuration on IPv6 interfaces
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.all.forwarding
+ Toggle IPv6 Forwarding
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.all.max_addresses
+ Maximum number of autoconfigured IPv6 addresses
+ 1
+
+
+ net.ipv6.conf.all.router_solicitations
+ Accept all router solicitations?
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.default.accept_ra_defrtr
+ Accept default router in router advertisements?
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.default.accept_ra_pinfo
+ Accept prefix information in router advertisements?
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.default.accept_ra_rtr_pref
+ Accept router preference in router advertisements?
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.default.accept_ra
+ Accept default router advertisements by default?
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.default.accept_redirects
+ Toggle ICMP Redirect Acceptance By Default
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.default.accept_source_route
+ Trackers could be using source-routed packets to
+generate traffic that seems to be intra-net, but actually was
+created outside and has been redirected.
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.default.autoconf
+ Enable auto configuration on IPv6 interfaces
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.default.forwarding
+ Toggle IPv6 default Forwarding
+ 0
+ 0
+ 1
+
+
+ net.ipv6.conf.default.max_addresses
+ Maximum number of autoconfigured IPv6 addresses
+ 1
+
+
+ net.ipv6.conf.default.router_solicitations
+ Accept all router solicitations by default?
+ 0
+ 0
+ 1
+
+
+ Limit Network-Transmitted Configuration if Using Static IPv6 Addresses
+ To limit the configuration information requested from other
+systems and accepted from the network on a system that uses
+statically-configured IPv6 addresses, add the following lines to
+/etc/sysctl.conf:
+net.ipv6.conf.default.router_solicitations = 0
+net.ipv6.conf.default.accept_ra_rtr_pref = 0
+net.ipv6.conf.default.accept_ra_pinfo = 0
+net.ipv6.conf.default.accept_ra_defrtr = 0
+net.ipv6.conf.default.autoconf = 0
+net.ipv6.conf.default.dad_transmits = 0
+net.ipv6.conf.default.max_addresses = 1
+The router_solicitations setting determines how many router
+solicitations are sent when bringing up the interface. If addresses are
+statically assigned, there is no need to send any solicitations.
+
+The accept_ra_pinfo setting controls whether the system will accept
+prefix info from the router.
+
+The accept_ra_defrtr setting controls whether the system will accept
+Hop Limit settings from a router advertisement. Setting it to 0 prevents a
+router from changing your default IPv6 Hop Limit for outgoing packets.
+
+The autoconf setting controls whether router advertisements can cause
+the system to assign a global unicast address to an interface.
+
+The dad_transmits setting determines how many neighbor solicitations
+to send out per address (global and link-local) when bringing up an interface
+to ensure the desired address is unique on the network.
+
+The max_addresses setting determines how many global unicast IPv6
+addresses can be assigned to each interface. The default is 16, but it should
+be set to exactly the number of statically configured global addresses
+required.
+
+
+
+
+ Kernel Parameters Which Affect Networking
+ The sysctl utility is used to set
+parameters which affect the operation of the Linux kernel. Kernel parameters
+which affect networking and have security implications are described here.
+
+ Network Related Kernel Runtime Parameters for Hosts and Routers
+ Certain kernel parameters should be set for systems which are
+acting as either hosts or routers to improve the system's ability defend
+against certain types of IPv4 protocol attacks.
+
+
+ net.ipv4.conf.all.accept_redirects
+ Disable ICMP Redirect Acceptance
+ 0
+ 0
+ 1
+
+
+ net.ipv4.conf.all.accept_source_route
+ Trackers could be using source-routed packets to
+generate traffic that seems to be intra-net, but actually was
+created outside and has been redirected.
+ 0
+ 0
+ 1
+
+
+ net.ipv4.conf.default.arp_filter
+ Controls whether the ARP filter is enabled or not.
+
+1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for each
+interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that interface.
+In other words it allows control of which cards (usually 1) will respond to an ARP request.
+
+0 - (default) The kernel can respond to arp requests with addresses from other interfaces.
+This may seem wrong but it usually makes sense, because it increases the chance of successful communication.
+IP addresses are owned by the complete host on Linux, not by particular interfaces.
+ 0
+ 0
+ 1
+
+
+ net.ipv4.conf.default.arp_ignore
+ Control the response modes for ARP queries that resolve local target IP addresses:
+
+0 - (default): reply for any local target IP address, configured on any interface
+1 - reply only if the target IP address is local address configured on the incoming interface
+2 - reply only if the target IP address is local address configured on the incoming interface and both with the sender’s IP address are part from same subnet on this interface
+3 - do not reply for local addresses configured with scope host, only resolutions for global and link addresses are replied
+4-7 - reserved
+8 - do not reply for all local addresses
+ 0
+ 0
+ 1
+ 2
+ 3
+ 8
+
+
+ net.ipv4.conf.all.forwarding
+ Toggle IPv4 Forwarding
+ 0
+ 0
+ 1
+
+
+ net.ipv4.conf.all.log_martians
+ Disable so you don't Log Spoofed Packets, Source
+Routed Packets, Redirect Packets
+ 1
+ 0
+ 1
+
+
+ net.ipv4.conf.all.rp_filter
+ Enable to enforce sanity checking, also called ingress
+filtering or egress filtering. The point is to drop a packet if the
+source and destination IP addresses in the IP header do not make
+sense when considered in light of the physical interface on which
+it arrived.
+ 1
+ 1
+ 2
+
+
+ net.ipv4.conf.all.secure_redirects
+ Enable to prevent hijacking of routing path by only
+allowing redirects from gateways known in routing
+table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces.
+ 0
+ 0
+ 1
+
+
+ net.ipv4.conf.all.shared_media
+ Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects.
+shared_media for the interface will be enabled if at least one of conf/{all,interface}/shared_media
+is set to TRUE, it will be disabled otherwise.
+ 0
+ 0
+ 1
+
+
+ net.ipv4.conf.default.accept_redirects
+ Disable ICMP Redirect Acceptance?
+ 0
+ 0
+ 1
+
+
+ net.ipv4.conf.default.accept_source_route
+ Disable IP source routing?
+ 0
+ 0
+ 1
+
+
+ net.ipv4.conf.default.log_martians
+ Disable so you don't Log Spoofed Packets, Source
+Routed Packets, Redirect Packets
+ 1
+ 0
+ 1
+
+
+ net.ipv4.conf.default.rp_filter
+ Enables source route verification
+ 1
+ 0
+ 1
+
+
+ net.ipv4.conf.default.secure_redirects
+ Enable to prevent hijacking of routing path by only
+allowing redirects from gateways known in routing
+table. Disable to refuse acceptance of secure ICMP redirected packages by default.
+ 0
+ 0
+ 1
+
+
+ net.ipv4.conf.default.shared_media
+ Controls whether the system can send(router) or accept(host) RFC1620 shared media redirects.
+shared_media for the interface will be enabled if at least one of conf/{all,interface}/shared_media
+is set to TRUE, it will be disabled otherwise.
+ 0
+ 0
+ 1
+
+
+ net.ipv4.icmp_echo_ignore_broadcasts
+ Ignore all ICMP ECHO and TIMESTAMP requests sent to it
+via broadcast/multicast
+ 1
+ 0
+ 1
+
+
+ net.ipv4.icmp_ignore_bogus_error_responses
+ Enable to prevent unnecessary logging
+ 1
+ 0
+ 1
+
+
+ net.ipv4.tcp_invalid_ratelimit
+ Configure the maximal rate for sending duplicate acknowledgments in
+response to incoming invalid TCP packets.
+ 500
+ 1000
+ 500
+ 250
+ 100
+
+
+ net.ipv4.tcp_rfc1337
+ Enable to enable TCP behavior conformant with RFC 1337
+ 1
+ 0
+ 1
+
+
+ net.ipv4.tcp_syncookies
+ Enable to turn on TCP SYN Cookie
+Protection
+ 1
+ 0
+ 1
+
+
+ Disable Accepting Packets Routed Between Local Interfaces
+ To set the runtime status of the net.ipv4.conf.all.accept_local kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_local=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_local = 0
+ Configure net.ipv4.conf.all.accept_local=0 to consider as invalid the packets
+received from outside whose source is the 127.0.0.0/8 address block.
+In combination with suitable routing, this can be used to direct packets between two
+local interfaces over the wire and have them accepted properly.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of net.ipv4.conf.all.accept_local from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.accept_local.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "net.ipv4.conf.all.accept_local" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+
+#
+# Set runtime for net.ipv4.conf.all.accept_local
+#
+/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_local="0"
+
+#
+# If net.ipv4.conf.all.accept_local present in /etc/sysctl.conf, change value to "0"
+# else, add "net.ipv4.conf.all.accept_local = 0" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.accept_local")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "0"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.accept_local\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^net.ipv4.conf.all.accept_local\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*net.ipv4.conf.all.accept_local.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_accept_local
+
+- name: Comment out any occurrences of net.ipv4.conf.all.accept_local from config
+ files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*net.ipv4.conf.all.accept_local
+ replace: '#net.ipv4.conf.all.accept_local'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_accept_local
+
+- name: Ensure sysctl net.ipv4.conf.all.accept_local is set to 0
+ sysctl:
+ name: net.ipv4.conf.all.accept_local
+ value: '0'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_accept_local
+
+
+
+
+
+
+
+
+
+ Configure ARP filtering for All IPv4 Interfaces
+ To set the runtime status of the net.ipv4.conf.all.arp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_filter=
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.arp_filter =
+ This behaviour may cause problems to system on a high availability or load balancing configuration.
+ Prevents the Linux Kernel from handling the ARP table globally.
+By default, the kernel may respond to an ARP request from a certain interface with information
+from another interface.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of net.ipv4.conf.all.arp_filter from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_filter.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "net.ipv4.conf.all.arp_filter" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+sysctl_net_ipv4_conf_all_arp_filter_value=''
+
+
+#
+# Set runtime for net.ipv4.conf.all.arp_filter
+#
+/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_filter="$sysctl_net_ipv4_conf_all_arp_filter_value"
+
+#
+# If net.ipv4.conf.all.arp_filter present in /etc/sysctl.conf, change value to appropriate value
+# else, add "net.ipv4.conf.all.arp_filter = value" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.arp_filter")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_arp_filter_value"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.arp_filter\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^net.ipv4.conf.all.arp_filter\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*net.ipv4.conf.all.arp_filter.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_arp_filter
+
+- name: Comment out any occurrences of net.ipv4.conf.all.arp_filter from config files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*net.ipv4.conf.all.arp_filter
+ replace: '#net.ipv4.conf.all.arp_filter'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_arp_filter
+- name: XCCDF Value sysctl_net_ipv4_conf_all_arp_filter_value # promote to variable
+ set_fact:
+ sysctl_net_ipv4_conf_all_arp_filter_value: !!str
+ tags:
+ - always
+
+- name: Ensure sysctl net.ipv4.conf.all.arp_filter is set
+ sysctl:
+ name: net.ipv4.conf.all.arp_filter
+ value: '{{ sysctl_net_ipv4_conf_all_arp_filter_value }}'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_arp_filter
+
+
+
+
+
+
+
+
+
+
+ Configure Response Mode of ARP Requests for All IPv4 Interfaces
+ To set the runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.arp_ignore=
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.arp_ignore =
+ The ARP response mode may impact behaviour of workloads and firewalls on the system.
+ Avoids ARP Flux on system that have more than one interface on the same subnet.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of net.ipv4.conf.all.arp_ignore from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.arp_ignore.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "net.ipv4.conf.all.arp_ignore" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+sysctl_net_ipv4_conf_all_arp_ignore_value=''
+
+
+#
+# Set runtime for net.ipv4.conf.all.arp_ignore
+#
+/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_ignore="$sysctl_net_ipv4_conf_all_arp_ignore_value"
+
+#
+# If net.ipv4.conf.all.arp_ignore present in /etc/sysctl.conf, change value to appropriate value
+# else, add "net.ipv4.conf.all.arp_ignore = value" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.arp_ignore")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_arp_ignore_value"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.arp_ignore\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^net.ipv4.conf.all.arp_ignore\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*net.ipv4.conf.all.arp_ignore.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_arp_ignore
+
+- name: Comment out any occurrences of net.ipv4.conf.all.arp_ignore from config files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*net.ipv4.conf.all.arp_ignore
+ replace: '#net.ipv4.conf.all.arp_ignore'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_arp_ignore
+- name: XCCDF Value sysctl_net_ipv4_conf_all_arp_ignore_value # promote to variable
+ set_fact:
+ sysctl_net_ipv4_conf_all_arp_ignore_value: !!str
+ tags:
+ - always
+
+- name: Ensure sysctl net.ipv4.conf.all.arp_ignore is set
+ sysctl:
+ name: net.ipv4.conf.all.arp_ignore
+ value: '{{ sysctl_net_ipv4_conf_all_arp_ignore_value }}'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_arp_ignore
+
+
+
+
+
+
+
+
+
+
+ Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces
+ To set the runtime status of the net.ipv4.conf.all.route_localnet kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.route_localnet=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.route_localnet = 0
+ Refuse the routing of packets whose source or destination address is the local loopback.
+This prohibits the use of network 127/8 for local routing purposes.
+Enabling route_localnet can expose applications listening on localhost to external traffic.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of net.ipv4.conf.all.route_localnet from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.route_localnet.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "net.ipv4.conf.all.route_localnet" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+
+#
+# Set runtime for net.ipv4.conf.all.route_localnet
+#
+/sbin/sysctl -q -n -w net.ipv4.conf.all.route_localnet="0"
+
+#
+# If net.ipv4.conf.all.route_localnet present in /etc/sysctl.conf, change value to "0"
+# else, add "net.ipv4.conf.all.route_localnet = 0" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.route_localnet")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "0"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.route_localnet\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^net.ipv4.conf.all.route_localnet\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*net.ipv4.conf.all.route_localnet.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_route_localnet
+
+- name: Comment out any occurrences of net.ipv4.conf.all.route_localnet from config
+ files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*net.ipv4.conf.all.route_localnet
+ replace: '#net.ipv4.conf.all.route_localnet'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_route_localnet
+
+- name: Ensure sysctl net.ipv4.conf.all.route_localnet is set to 0
+ sysctl:
+ name: net.ipv4.conf.all.route_localnet
+ value: '0'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_route_localnet
+
+
+
+
+
+
+
+
+
+ Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces
+ To set the runtime status of the net.ipv4.conf.all.shared_media kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.shared_media=
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.shared_media =
+ This setting should be aligned with net.ipv4.conf.all.secure_redirects because it overrides it.
+If shared_media is enabled for an interface secure_redirects will be enabled too.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of net.ipv4.conf.all.shared_media from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.all.shared_media.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "net.ipv4.conf.all.shared_media" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+sysctl_net_ipv4_conf_all_shared_media_value=''
+
+
+#
+# Set runtime for net.ipv4.conf.all.shared_media
+#
+/sbin/sysctl -q -n -w net.ipv4.conf.all.shared_media="$sysctl_net_ipv4_conf_all_shared_media_value"
+
+#
+# If net.ipv4.conf.all.shared_media present in /etc/sysctl.conf, change value to appropriate value
+# else, add "net.ipv4.conf.all.shared_media = value" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.all.shared_media")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_all_shared_media_value"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.all.shared_media\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^net.ipv4.conf.all.shared_media\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*net.ipv4.conf.all.shared_media.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_shared_media
+
+- name: Comment out any occurrences of net.ipv4.conf.all.shared_media from config
+ files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*net.ipv4.conf.all.shared_media
+ replace: '#net.ipv4.conf.all.shared_media'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_shared_media
+- name: XCCDF Value sysctl_net_ipv4_conf_all_shared_media_value # promote to variable
+ set_fact:
+ sysctl_net_ipv4_conf_all_shared_media_value: !!str
+ tags:
+ - always
+
+- name: Ensure sysctl net.ipv4.conf.all.shared_media is set
+ sysctl:
+ name: net.ipv4.conf.all.shared_media
+ value: '{{ sysctl_net_ipv4_conf_all_shared_media_value }}'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_all_shared_media
+
+
+
+
+
+
+
+
+
+
+ Configure Sending and Accepting Shared Media Redirects by Default
+ To set the runtime status of the net.ipv4.conf.default.shared_media kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.shared_media=
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.shared_media =
+ This setting should be aligned with net.ipv4.conf.default.secure_redirects because it overrides it.
+If shared_media is enabled for an interface secure_redirects will be enabled too.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of net.ipv4.conf.default.shared_media from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*net.ipv4.conf.default.shared_media.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "net.ipv4.conf.default.shared_media" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+sysctl_net_ipv4_conf_default_shared_media_value=''
+
+
+#
+# Set runtime for net.ipv4.conf.default.shared_media
+#
+/sbin/sysctl -q -n -w net.ipv4.conf.default.shared_media="$sysctl_net_ipv4_conf_default_shared_media_value"
+
+#
+# If net.ipv4.conf.default.shared_media present in /etc/sysctl.conf, change value to appropriate value
+# else, add "net.ipv4.conf.default.shared_media = value" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.conf.default.shared_media")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv4_conf_default_shared_media_value"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.shared_media\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^net.ipv4.conf.default.shared_media\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*net.ipv4.conf.default.shared_media.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_default_shared_media
+
+- name: Comment out any occurrences of net.ipv4.conf.default.shared_media from config
+ files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*net.ipv4.conf.default.shared_media
+ replace: '#net.ipv4.conf.default.shared_media'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_default_shared_media
+- name: XCCDF Value sysctl_net_ipv4_conf_default_shared_media_value # promote to variable
+ set_fact:
+ sysctl_net_ipv4_conf_default_shared_media_value: !!str
+ tags:
+ - always
+
+- name: Ensure sysctl net.ipv4.conf.default.shared_media is set
+ sysctl:
+ name: net.ipv4.conf.default.shared_media
+ value: '{{ sysctl_net_ipv4_conf_default_shared_media_value }}'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_net_ipv4_conf_default_shared_media
+
+
+
+
+
+
+
+
+
+
+
+ Network Parameters for Hosts Only
+ If the system is not going to be used as a router, then setting certain
+kernel parameters ensure that the host will not perform routing
+of network traffic.
+
+
+
+
+ nftables
+ If firewalld or iptables are being used in your environment, please follow the guidance in their
+respective section and pass-over the guidance in this section.
+nftables is a subsystem of the Linux kernel providing filtering and classification of network
+packets/datagrams/frames and is the successor to iptables. The biggest change with the
+successor nftables is its simplicity. With iptables, we have to configure every single rule and
+use the syntax which can be compared with normal commands. With nftables, the simpler
+syntax, much like BPF (Berkely Packet Filter) means shorter lines and less repetition.
+Support for nftables should also be compiled into the kernel, together with the related
+nftables modules.
+
+It is available in Linux kernels >= 3.13. Please ensure that your kernel
+supports nftables before choosing this option.
+
+
+ SuSEfirewall2
+ The SuSEfirewall2 provides a managed firewall.
+
+
+ Uncomplicated Firewall (ufw)
+ The Linux kernel in Ubuntu provides a packet filtering system called
+netfilter, and the traditional interface for manipulating netfilter are
+the iptables suite of commands. iptables provide a complete firewall
+solution that is both highly configurable and highly flexible.
+
+Becoming proficient in iptables takes time, and getting started with
+netfilter firewalling using only iptables can be a daunting task. As a
+result, many frontends for iptables have been created over the years,
+each trying to achieve a different result and targeting a different
+audience.
+
+The Uncomplicated Firewall (ufw) is a frontend for iptables and is
+particularly well-suited for host-based firewalls. ufw provides a
+framework for managing netfilter, as well as a command-line interface
+for manipulating the firewall. ufw aims to provide an easy to use
+interface for people unfamiliar with firewall concepts, while at the
+same time simplifies complicated iptables commands to help an
+administrator who knows what he or she is doing. ufw is an upstream
+for other distributions and graphical frontends.
+
+
+ Verify ufw Enabled
+
+The ufw service can be enabled with the following command:
+$ sudo systemctl enable ufw.service
+ CCI-002314
+ SRG-OS-000297-GPOS-00115
+ The ufw service must be enabled and running in order for ufw to protect the system
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'ufw.service'
+"$SYSTEMCTL_EXEC" start 'ufw.service'
+"$SYSTEMCTL_EXEC" enable 'ufw.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable service ufw
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Enable service ufw
+ service:
+ name: ufw
+ enabled: 'yes'
+ state: started
+ masked: 'no'
+ when:
+ - '"ufw" in ansible_facts.packages'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_ufw_enabled
+
+ include enable_ufw
+
+class enable_ufw {
+ service {'ufw':
+ enable => true,
+ ensure => 'running',
+ }
+}
+
+
+[customizations.services]
+enabled = ["ufw"]
+
+
+
+
+
+
+
+
+
+
+ Uncommon Network Protocols
+ The system includes support for several network protocols which are not commonly used.
+Although security vulnerabilities in kernel networking code are not frequently discovered,
+the consequences can be dramatic. Ensuring uncommon network protocols are disabled
+reduces the system's risk to attacks targeted at its implementation of those protocols.
+ Although these protocols are not commonly used, avoid disruption
+in your network environment by ensuring they are not needed
+prior to disabling them.
+
+
+ Disable RDS Support
+ The Reliable Datagram Sockets (RDS) protocol is a transport
+layer protocol designed to provide reliable high-bandwidth,
+low-latency communications between nodes in a cluster.
+
+To configure the system to prevent the rds
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/rds.conf:
+install rds /bin/true
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ Disabling RDS protects
+the system against exploitation of any flaws in its implementation.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install rds" /etc/modprobe.d/rds.conf ; then
+
+ sed -i 's#^install rds.*#install rds /bin/true#g' /etc/modprobe.d/rds.conf
+else
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/rds.conf
+ echo "install rds /bin/true" >> /etc/modprobe.d/rds.conf
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure kernel module 'rds' is disabled
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/rds.conf
+ regexp: rds
+ line: install rds /bin/true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_rds_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+
+
+
+
+
+
+
+
+ Disable TIPC Support
+ The Transparent Inter-Process Communication (TIPC) protocol
+is designed to provide communications between nodes in a
+cluster.
+
+To configure the system to prevent the tipc
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf:
+install tipc /bin/true
+ This configuration baseline was created to deploy the base operating system for general purpose
+workloads. When the operating system is configured for certain purposes, such as
+a node in High Performance Computing cluster, it is expected that
+the tipc kernel module will be loaded.
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ CCI-000381
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ FMT_SMF_EXT.1
+ SRG-OS-000095-GPOS-00049
+ Disabling TIPC protects
+the system against exploitation of any flaws in its implementation.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install tipc" /etc/modprobe.d/tipc.conf ; then
+
+ sed -i 's#^install tipc.*#install tipc /bin/true#g' /etc/modprobe.d/tipc.conf
+else
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/tipc.conf
+ echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure kernel module 'tipc' is disabled
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/tipc.conf
+ regexp: tipc
+ line: install tipc /bin/true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_tipc_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+
+
+
+
+
+
+
+
+
+ Wireless Networking
+ Wireless networking, such as 802.11
+(WiFi) and Bluetooth, can present a security risk to sensitive or
+classified systems and networks. Wireless networking hardware is
+much more likely to be included in laptop or portable systems than
+in desktops or servers.
+
+Removal of hardware provides the greatest assurance that the wireless
+capability remains disabled. Acquisition policies often include provisions to
+prevent the purchase of equipment that will be used in sensitive spaces and
+includes wireless capabilities. If it is impractical to remove the wireless
+hardware, and policy permits the device to enter sensitive spaces as long
+as wireless is disabled, efforts should instead focus on disabling wireless capability
+via software.
+
+ Disable Wireless Through Software Configuration
+ If it is impossible to remove the wireless hardware
+from the device in question, disable as much of it as possible
+through software. The following methods can disable software
+support for wireless networking, but note that these methods do not
+prevent malicious software or careless users from re-activating the
+devices.
+
+
+
+ Disable Unused Interfaces
+ Network interfaces expand the attack surface of the
+system. Unused interfaces are not monitored or controlled, and
+should be disabled.
+
+If the system does not require network communications but still
+needs to use the loopback interface, remove all files of the form
+ifcfg-interface except for ifcfg-lo from
+/etc/sysconfig/network-scripts:
+$ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface
+If the system is a standalone machine with no need for network access or even
+communication over the loopback device, then disable this service.
+
+The network service can be disabled with the following command:
+$ sudo systemctl mask --now network.service
+
+
+ Transport Layer Security Support
+ Support for Transport Layer Security (TLS), and its predecessor, the Secure
+Sockets Layer (SSL), is included in Red Hat Enterprise Linux in the OpenSSL software (RPM package
+openssl). TLS provides encrypted and authenticated network
+communications, and many network services include support for it. TLS or SSL
+can be leveraged to avoid any plaintext transmission of sensitive data.
+
+For information on how to use OpenSSL, see
+http://www.openssl.org/docs/. Information on FIPS validation
+of OpenSSL is available at http://www.openssl.org/docs/fips.html
+and http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.
+
+
+
+ File Permissions and Masks
+ Traditional Unix security relies heavily on file and
+directory permissions to prevent unauthorized users from reading or
+modifying files to which they should not have access.
+
+Several of the commands in this section search filesystems
+for files or directories with certain characteristics, and are
+intended to be run on every local partition on a given system.
+When the variable PART appears in one of the commands below,
+it means that the command is intended to be run repeatedly, with the
+name of each local partition substituted for PART in turn.
+
+The following command prints a list of all xfs partitions on the local
+system, which is the default filesystem for Ubuntu 18.04
+installations:
+$ mount -t xfs | awk '{print $3}'
+For any systems that use a different
+local filesystem type, modify this command as appropriate.
+
+ Verify Permissions on Important Files and
+Directories
+ Permissions for many files on a system must be set
+restrictively to ensure sensitive information is properly protected.
+This section discusses important
+permission restrictions which can be verified
+to ensure that no harmful discrepancies have
+arisen.
+
+ Verify that All World-Writable Directories Have Sticky Bits Set
+ When the so-called 'sticky bit' is set on a directory,
+only the owner of a given file may remove that file from the
+directory. Without the sticky bit, any user with write access to a
+directory may remove any file in the directory. Setting the sticky
+bit prevents users from removing each other's files. In cases where
+there is no reason for a directory to be world-writable, a better
+solution is to remove that permission rather than to set the sticky
+bit. However, if a directory is used by a particular application,
+consult that application's documentation instead of blindly
+changing modes.
+
+To set the sticky bit on a world-writable directory DIR, run the
+following command:
+$ sudo chmod +t DIR
+ BP28(R40)
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-001090
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ SRG-OS-000138-GPOS-00069
+ 1.1.20
+ Failing to set the sticky bit on public directories allows unauthorized
+users to delete files in the directory structure.
+
+The only authorized public directories are those temporary directories
+supplied with the system, or those designed to be temporary file
+repositories. The setting is normally reserved for directories used by the
+system, by users for temporary file storage (such as /tmp), and
+for directories requiring global read/write access.
+ df --local -P | awk '{if (NR!=1) print $6}' \
+| xargs -I '$6' find '$6' -xdev -type d \
+\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
+-exec chmod a+t {} +
+
+
+
+
+
+
+
+
+
+ Verify that local System.map file (if exists) is readable only by root
+ Files containing sensitive informations should be protected by restrictive
+ permissions. Most of the time, there is no need that these files need to be read by any non-root user
+
+To properly set the permissions of /boot/System.map-*, run the command:
+$ sudo chmod 0600 /boot/System.map-*
+ BP28(R13)
+ The System.map file contains information about kernel symbols and
+ can give some hints to generate local exploitation.
+
+
+
+
+
+
+
+
+ Ensure No World-Writable Files Exist
+ It is generally a good idea to remove global (other) write
+access to a file when it is discovered. However, check with
+documentation for specific applications before making changes.
+Also, monitor for recurring world-writable files, as these may be
+symptoms of a misconfigured application or user account. Finally,
+this applies to real files and not virtual files that are a part of
+pseudo file systems such as sysfs or procfs.
+ BP28(R40)
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Data in world-writable files can be modified by any
+user on the system. In almost all circumstances, files can be
+configured using a combination of user and group permissions to
+support whatever legitimate access is needed without the risk
+caused by world-writable files.
+
+find / -xdev -type f -perm -002 -exec chmod o-w {} \;
+
+
+
+
+
+
+
+
+
+ Enable Kernel Parameter to Enforce DAC on Hardlinks
+ To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1
+ BP28(R23)
+ CCI-002165
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ SRG-OS-000312-GPOS-00122
+ SRG-OS-000312-GPOS-00123
+ SRG-OS-000324-GPOS-00125
+ By enabling this kernel parameter, users can no longer create soft or hard links to
+files which they do not own. Disallowing such hardlinks mitigate vulnerabilities
+based on insecure file system accessed by privileged programs, avoiding an
+exploitation vector exploiting unsafe use of open() or creat().
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of fs.protected_hardlinks from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_hardlinks.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "fs.protected_hardlinks" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+
+#
+# Set runtime for fs.protected_hardlinks
+#
+/sbin/sysctl -q -n -w fs.protected_hardlinks="1"
+
+#
+# If fs.protected_hardlinks present in /etc/sysctl.conf, change value to "1"
+# else, add "fs.protected_hardlinks = 1" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_hardlinks")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_hardlinks\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^fs.protected_hardlinks\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*fs.protected_hardlinks.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_fs_protected_hardlinks
+
+- name: Comment out any occurrences of fs.protected_hardlinks from config files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*fs.protected_hardlinks
+ replace: '#fs.protected_hardlinks'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_fs_protected_hardlinks
+
+- name: Ensure sysctl fs.protected_hardlinks is set to 1
+ sysctl:
+ name: fs.protected_hardlinks
+ value: '1'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_fs_protected_hardlinks
+
+
+
+
+
+
+
+
+
+ Enable Kernel Parameter to Enforce DAC on Symlinks
+ To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1
+ BP28(R23)
+ CCI-002165
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ SRG-OS-000312-GPOS-00122
+ SRG-OS-000312-GPOS-00123
+ SRG-OS-000324-GPOS-00125
+ By enabling this kernel parameter, symbolic links are permitted to be followed
+only when outside a sticky world-writable directory, or when the UID of the
+link and follower match, or when the directory owner matches the symlink's owner.
+Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
+accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
+open() or creat().
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of fs.protected_symlinks from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*fs.protected_symlinks.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "fs.protected_symlinks" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+
+#
+# Set runtime for fs.protected_symlinks
+#
+/sbin/sysctl -q -n -w fs.protected_symlinks="1"
+
+#
+# If fs.protected_symlinks present in /etc/sysctl.conf, change value to "1"
+# else, add "fs.protected_symlinks = 1" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.protected_symlinks")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^fs.protected_symlinks\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^fs.protected_symlinks\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*fs.protected_symlinks.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_fs_protected_symlinks
+
+- name: Comment out any occurrences of fs.protected_symlinks from config files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*fs.protected_symlinks
+ replace: '#fs.protected_symlinks'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_fs_protected_symlinks
+
+- name: Ensure sysctl fs.protected_symlinks is set to 1
+ sysctl:
+ name: fs.protected_symlinks
+ value: '1'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_fs_protected_symlinks
+
+
+
+
+
+
+
+
+
+ Verify Permissions on Files with Local Account Information and Credentials
+ The default restrictive permissions for files which act as
+important security databases such as passwd, shadow,
+group, and gshadow files must be maintained. Many utilities
+need read access to the passwd file in order to function properly, but
+read access to the shadow file allows malicious attacks against system
+passwords, and should never be enabled.
+
+ Verify Group Who Owns Backup group File
+ To properly set the group owner of /etc/group-, run the command: $ sudo chgrp root /etc/group-
+ CCI-002223
+ AC-6 (1)
+ SRG-OS-000480-GPOS-00227
+ The /etc/group- file is a backup file of /etc/group, and as such,
+it contains information regarding groups that are configured on the system.
+Protection of this file is important for system security.
+
+
+
+chgrp 0 /etc/group-
+
+ - name: Test for existence /etc/group-
+ stat:
+ path: /etc/group-
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_groupowner_backup_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure group owner 0 on /etc/group-
+ file:
+ path: /etc/group-
+ group: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_groupowner_backup_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Group Who Owns Backup gshadow File
+ To properly set the group owner of /etc/gshadow-, run the command: $ sudo chgrp shadow /etc/gshadow-
+ CCI-002223
+ AC-6 (1)
+ SRG-OS-000480-GPOS-00227
+ The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
+it contains group password hashes. Protection of this file is critical for system security.
+
+
+
+chgrp 42 /etc/gshadow-
+
+ - name: Test for existence /etc/gshadow-
+ stat:
+ path: /etc/gshadow-
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_groupowner_backup_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure group owner 42 on /etc/gshadow-
+ file:
+ path: /etc/gshadow-
+ group: '42'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_groupowner_backup_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Group Who Owns Backup passwd File
+ To properly set the group owner of /etc/passwd-, run the command: $ sudo chgrp root /etc/passwd-
+ CCI-002223
+ AC-6 (1)
+ SRG-OS-000480-GPOS-00227
+ The /etc/passwd- file is a backup file of /etc/passwd, and as such,
+it contains information about the users that are configured on the system.
+Protection of this file is critical for system security.
+
+
+
+chgrp 0 /etc/passwd-
+
+ - name: Test for existence /etc/passwd-
+ stat:
+ path: /etc/passwd-
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_groupowner_backup_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure group owner 0 on /etc/passwd-
+ file:
+ path: /etc/passwd-
+ group: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_groupowner_backup_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify User Who Owns Backup shadow File
+ To properly set the group owner of /etc/shadow-, run the command: $ sudo chgrp shadow /etc/shadow-
+ SRG-OS-000480-GPOS-00227
+ The /etc/shadow- file is a backup file of /etc/shadow, and as such,
+it contains the list of local system accounts and password hashes.
+Protection of this file is critical for system security.
+
+
+
+chgrp 42 /etc/shadow-
+
+ - name: Test for existence /etc/shadow-
+ stat:
+ path: /etc/shadow-
+ register: file_exists
+ tags:
+ - configure_strategy
+ - file_groupowner_backup_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure group owner 42 on /etc/shadow-
+ file:
+ path: /etc/shadow-
+ group: '42'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - configure_strategy
+ - file_groupowner_backup_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Group Who Owns group File
+ To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 5.5.2.2
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Req-8.7.c
+ SRG-OS-000480-GPOS-00227
+ The /etc/group file contains information regarding groups that are configured
+on the system. Protection of this file is important for system security.
+
+
+
+chgrp 0 /etc/group
+
+ - name: Test for existence /etc/group
+ stat:
+ path: /etc/group
+ register: file_exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_groupowner_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure group owner 0 on /etc/group
+ file:
+ path: /etc/group
+ group: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_groupowner_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Group Who Owns gshadow File
+ To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp shadow /etc/gshadow
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ SRG-OS-000480-GPOS-00227
+ The /etc/gshadow file contains group password hashes. Protection of this file
+is critical for system security.
+
+
+
+chgrp 42 /etc/gshadow
+
+ - name: Test for existence /etc/gshadow
+ stat:
+ path: /etc/gshadow
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_groupowner_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure group owner 42 on /etc/gshadow
+ file:
+ path: /etc/gshadow
+ group: '42'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_groupowner_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Group Who Owns passwd File
+ To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 5.5.2.2
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Req-8.7.c
+ SRG-OS-000480-GPOS-00227
+ The /etc/passwd file contains information about the users that are configured on
+the system. Protection of this file is critical for system security.
+
+
+
+chgrp 0 /etc/passwd
+
+ - name: Test for existence /etc/passwd
+ stat:
+ path: /etc/passwd
+ register: file_exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_groupowner_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure group owner 0 on /etc/passwd
+ file:
+ path: /etc/passwd
+ group: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_groupowner_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Group Who Owns shadow File
+ To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp shadow /etc/shadow
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 5.5.2.2
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Req-8.7.c
+ SRG-OS-000480-GPOS-00227
+ The /etc/shadow file stores password hashes. Protection of this file is
+critical for system security.
+
+
+
+chgrp 42 /etc/shadow
+
+ - name: Test for existence /etc/shadow
+ stat:
+ path: /etc/shadow
+ register: file_exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_groupowner_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure group owner 42 on /etc/shadow
+ file:
+ path: /etc/shadow
+ group: '42'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_groupowner_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify User Who Owns Backup group File
+ To properly set the owner of /etc/group-, run the command: $ sudo chown root /etc/group-
+ CCI-002223
+ AC-6 (1)
+ SRG-OS-000480-GPOS-00227
+ The /etc/group- file is a backup file of /etc/group, and as such,
+it contains information regarding groups that are configured on the system.
+Protection of this file is important for system security.
+
+
+
+chown 0 /etc/group-
+
+ - name: Test for existence /etc/group-
+ stat:
+ path: /etc/group-
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_owner_backup_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner 0 on /etc/group-
+ file:
+ path: /etc/group-
+ owner: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_owner_backup_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify User Who Owns Backup gshadow File
+ To properly set the owner of /etc/gshadow-, run the command: $ sudo chown root /etc/gshadow-
+ CCI-002223
+ AC-6 (1)
+ SRG-OS-000480-GPOS-00227
+ The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
+it contains group password hashes. Protection of this file is critical for system security.
+
+
+
+chown 0 /etc/gshadow-
+
+ - name: Test for existence /etc/gshadow-
+ stat:
+ path: /etc/gshadow-
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_owner_backup_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner 0 on /etc/gshadow-
+ file:
+ path: /etc/gshadow-
+ owner: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_owner_backup_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify User Who Owns Backup passwd File
+ To properly set the owner of /etc/passwd-, run the command: $ sudo chown root /etc/passwd-
+ CCI-002223
+ AC-6 (1)
+ SRG-OS-000480-GPOS-00227
+ The /etc/passwd- file is a backup file of /etc/passwd, and as such,
+it contains information about the users that are configured on the system.
+Protection of this file is critical for system security.
+
+
+
+chown 0 /etc/passwd-
+
+ - name: Test for existence /etc/passwd-
+ stat:
+ path: /etc/passwd-
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_owner_backup_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner 0 on /etc/passwd-
+ file:
+ path: /etc/passwd-
+ owner: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_owner_backup_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Group Who Owns Backup shadow File
+ To properly set the owner of /etc/shadow-, run the command: $ sudo chown root /etc/shadow-
+ CCI-002223
+ AC-6 (1)
+ SRG-OS-000480-GPOS-00227
+ The /etc/shadow- file is a backup file of /etc/shadow, and as such,
+it contains the list of local system accounts and password hashes.
+Protection of this file is critical for system security.
+
+
+
+chown 0 /etc/shadow-
+
+ - name: Test for existence /etc/shadow-
+ stat:
+ path: /etc/shadow-
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_owner_backup_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner 0 on /etc/shadow-
+ file:
+ path: /etc/shadow-
+ owner: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_owner_backup_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify User Who Owns group File
+ To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 5.5.2.2
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-002223
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Req-8.7.c
+ SRG-OS-000480-GPOS-00227
+ The /etc/group file contains information regarding groups that are configured
+on the system. Protection of this file is important for system security.
+
+
+
+chown 0 /etc/group
+
+ - name: Test for existence /etc/group
+ stat:
+ path: /etc/group
+ register: file_exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_owner_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner 0 on /etc/group
+ file:
+ path: /etc/group
+ owner: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_owner_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify User Who Owns gshadow File
+ To properly set the owner of /etc/gshadow, run the command: $ sudo chown root /etc/gshadow
+ BP28(R36)
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-002223
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ SRG-OS-000480-GPOS-00227
+ The /etc/gshadow file contains group password hashes. Protection of this file
+is critical for system security.
+
+
+
+chown 0 /etc/gshadow
+
+ - name: Test for existence /etc/gshadow
+ stat:
+ path: /etc/gshadow
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_owner_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner 0 on /etc/gshadow
+ file:
+ path: /etc/gshadow
+ owner: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_owner_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify User Who Owns passwd File
+ To properly set the owner of /etc/passwd, run the command: $ sudo chown root /etc/passwd
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 5.5.2.2
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-002223
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Req-8.7.c
+ SRG-OS-000480-GPOS-00227
+ The /etc/passwd file contains information about the users that are configured on
+the system. Protection of this file is critical for system security.
+
+
+
+chown 0 /etc/passwd
+
+ - name: Test for existence /etc/passwd
+ stat:
+ path: /etc/passwd
+ register: file_exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_owner_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner 0 on /etc/passwd
+ file:
+ path: /etc/passwd
+ owner: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_owner_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify User Who Owns shadow File
+ To properly set the owner of /etc/shadow, run the command: $ sudo chown root /etc/shadow
+ BP28(R36)
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 5.5.2.2
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-002223
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Req-8.7.c
+ SRG-OS-000480-GPOS-00227
+ The /etc/shadow file contains the list of local
+system accounts and stores password hashes. Protection of this file is
+critical for system security. Failure to give ownership of this file
+to root provides the designated owner with access to sensitive information
+which could weaken the system security posture.
+
+
+
+chown 0 /etc/shadow
+
+ - name: Test for existence /etc/shadow
+ stat:
+ path: /etc/shadow
+ register: file_exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_owner_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner 0 on /etc/shadow
+ file:
+ path: /etc/shadow
+ owner: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_owner_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Permissions on Backup group File
+
+To properly set the permissions of /etc/group-, run the command:
+$ sudo chmod 0644 /etc/group-
+ CCI-002223
+ AC-6 (1)
+ SRG-OS-000480-GPOS-00227
+ The /etc/group- file is a backup file of /etc/group, and as such,
+it contains information regarding groups that are configured on the system.
+Protection of this file is important for system security.
+
+
+
+
+chmod u-xs,g-xws,o-xwt /etc/group-
+
+ - name: Test for existence /etc/group-
+ stat:
+ path: /etc/group-
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_permissions_backup_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure permission u-xs,g-xws,o-xwt on /etc/group-
+ file:
+ path: /etc/group-
+ mode: u-xs,g-xws,o-xwt
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_permissions_backup_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Permissions on Backup gshadow File
+
+To properly set the permissions of /etc/gshadow-, run the command:
+$ sudo chmod 0640 /etc/gshadow-
+ CCI-002223
+ AC-6 (1)
+ SRG-OS-000480-GPOS-00227
+ The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
+it contains group password hashes. Protection of this file is critical for system security.
+
+
+
+
+chmod u-xs,g-xws,o-xwrt /etc/gshadow-
+
+ - name: Test for existence /etc/gshadow-
+ stat:
+ path: /etc/gshadow-
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_permissions_backup_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/gshadow-
+ file:
+ path: /etc/gshadow-
+ mode: u-xs,g-xws,o-xwrt
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_permissions_backup_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Permissions on Backup passwd File
+
+To properly set the permissions of /etc/passwd-, run the command:
+$ sudo chmod 0644 /etc/passwd-
+ CCI-002223
+ AC-6 (1)
+ SRG-OS-000480-GPOS-00227
+ The /etc/passwd- file is a backup file of /etc/passwd, and as such,
+it contains information about the users that are configured on the system.
+Protection of this file is critical for system security.
+
+
+
+
+chmod u-xs,g-xws,o-xwt /etc/passwd-
+
+ - name: Test for existence /etc/passwd-
+ stat:
+ path: /etc/passwd-
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_permissions_backup_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure permission u-xs,g-xws,o-xwt on /etc/passwd-
+ file:
+ path: /etc/passwd-
+ mode: u-xs,g-xws,o-xwt
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_permissions_backup_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Permissions on Backup shadow File
+
+To properly set the permissions of /etc/shadow-, run the command:
+$ sudo chmod 0640 /etc/shadow-
+ CCI-002223
+ AC-6 (1)
+ SRG-OS-000480-GPOS-00227
+ The /etc/shadow- file is a backup file of /etc/shadow, and as such,
+it contains the list of local system accounts and password hashes.
+Protection of this file is critical for system security.
+
+
+
+
+chmod u-xs,g-xws,o-xwrt /etc/shadow-
+
+ - name: Test for existence /etc/shadow-
+ stat:
+ path: /etc/shadow-
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_permissions_backup_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/shadow-
+ file:
+ path: /etc/shadow-
+ mode: u-xs,g-xws,o-xwrt
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6 (1)
+ - configure_strategy
+ - file_permissions_backup_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Permissions on group File
+
+To properly set the permissions of /etc/passwd, run the command:
+$ sudo chmod 0644 /etc/passwd
+ BP28(R36)
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 5.5.2.2
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-002223
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Req-8.7.c
+ SRG-OS-000480-GPOS-00227
+ The /etc/group file contains information regarding groups that are configured
+on the system. Protection of this file is important for system security.
+
+
+
+
+chmod u-xs,g-xws,o-xwt /etc/group
+
+ - name: Test for existence /etc/group
+ stat:
+ path: /etc/group
+ register: file_exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_permissions_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure permission u-xs,g-xws,o-xwt on /etc/group
+ file:
+ path: /etc/group
+ mode: u-xs,g-xws,o-xwt
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_permissions_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Permissions on gshadow File
+
+To properly set the permissions of /etc/gshadow, run the command:
+$ sudo chmod 0640 /etc/gshadow
+ BP28(R36)
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-002223
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ SRG-OS-000480-GPOS-00227
+ The /etc/gshadow file contains group password hashes. Protection of this file
+is critical for system security.
+
+
+
+
+chmod u-xs,g-xws,o-xwrt /etc/gshadow
+
+ - name: Test for existence /etc/gshadow
+ stat:
+ path: /etc/gshadow
+ register: file_exists
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_permissions_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/gshadow
+ file:
+ path: /etc/gshadow
+ mode: u-xs,g-xws,o-xwrt
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_permissions_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Permissions on passwd File
+
+To properly set the permissions of /etc/passwd, run the command:
+$ sudo chmod 0644 /etc/passwd
+ BP28(R36)
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 5.5.2.2
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-002223
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Req-8.7.c
+ SRG-OS-000480-GPOS-00227
+ If the /etc/passwd file is writable by a group-owner or the
+world the risk of its compromise is increased. The file contains the list of
+accounts on the system and associated information, and protection of this file
+is critical for system security.
+
+
+
+
+chmod u-xs,g-xws,o-xwt /etc/passwd
+
+ - name: Test for existence /etc/passwd
+ stat:
+ path: /etc/passwd
+ register: file_exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_permissions_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure permission u-xs,g-xws,o-xwt on /etc/passwd
+ file:
+ path: /etc/passwd
+ mode: u-xs,g-xws,o-xwt
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_permissions_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Permissions on shadow File
+
+To properly set the permissions of /etc/shadow, run the command:
+$ sudo chmod 0640 /etc/shadow
+ BP28(R36)
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 5.5.2.2
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-002223
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Req-8.7.c
+ SRG-OS-000480-GPOS-00227
+ The /etc/shadow file contains the list of local
+system accounts and stores password hashes. Protection of this file is
+critical for system security. Failure to give ownership of this file
+to root provides the designated owner with access to sensitive information
+which could weaken the system security posture.
+
+
+
+
+chmod u-xs,g-xws,o-xwrt /etc/shadow
+
+ - name: Test for existence /etc/shadow
+ stat:
+ path: /etc/shadow
+ register: file_exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_permissions_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/shadow
+ file:
+ path: /etc/shadow
+ mode: u-xs,g-xws,o-xwrt
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - configure_strategy
+ - file_permissions_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+
+ Verify Permissions on Files within /var/log Directory
+ The /var/log directory contains files with logs of error
+messages in the system and should only be accessed by authorized
+personnel.
+
+ Verify Group Who Owns /var/log Directory
+ To properly set the group owner of /var/log, run the command: $ sudo chgrp syslog /var/log
+ CCI-001314
+ SRG-OS-000206-GPOS-00084
+ The /var/log directory contains files with logs of error
+messages in the system and should only be accessed by authorized
+personnel.
+
+
+
+find -H /var/log/ -maxdepth 1 -type d -exec chgrp 110 {} \;
+
+ - name: Ensure group owner on /var/log/
+ file:
+ path: /var/log/
+ state: directory
+ group: '110'
+ tags:
+ - configure_strategy
+ - file_groupowner_var_log
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Group Who Owns /var/log/messages File
+ To properly set the group owner of /var/log/messages, run the command: $ sudo chgrp root /var/log/messages
+ CCI-001314
+ SRG-OS-000206-GPOS-00084
+ The /var/log/messages file contains logs of error messages in
+the system and should only be accessed by authorized personnel.
+
+
+
+chgrp 0 /var/log/messages
+
+ - name: Test for existence /var/log/messages
+ stat:
+ path: /var/log/messages
+ register: file_exists
+ tags:
+ - configure_strategy
+ - file_groupowner_var_log_messages
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure group owner 0 on /var/log/messages
+ file:
+ path: /var/log/messages
+ group: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - configure_strategy
+ - file_groupowner_var_log_messages
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Group Who Owns /var/log/syslog File
+ To properly set the group owner of /var/log/syslog, run the command: $ sudo chgrp adm /var/log/syslog
+ CCI-001314
+ SRG-OS-000206-GPOS-00084
+ The /var/log/syslog file contains logs of error messages in
+the system and should only be accessed by authorized personnel.
+
+
+
+chgrp 4 /var/log/syslog
+
+ - name: Test for existence /var/log/syslog
+ stat:
+ path: /var/log/syslog
+ register: file_exists
+ tags:
+ - configure_strategy
+ - file_groupowner_var_log_syslog
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure group owner 4 on /var/log/syslog
+ file:
+ path: /var/log/syslog
+ group: '4'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - configure_strategy
+ - file_groupowner_var_log_syslog
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify User Who Owns /var/log Directory
+ To properly set the owner of /var/log, run the command: $ sudo chown root /var/log
+ CCI-001314
+ SRG-OS-000206-GPOS-00084
+ The /var/log directory contains files with logs of error
+messages in the system and should only be accessed by authorized
+personnel.
+
+
+
+find -H /var/log/ -maxdepth 1 -type d -exec chown 0 {} \;
+
+ - name: Ensure owner on directory /var/log/
+ file:
+ path: /var/log/
+ state: directory
+ owner: '0'
+ tags:
+ - configure_strategy
+ - file_owner_var_log
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify User Who Owns /var/log/messages File
+ To properly set the owner of /var/log/messages, run the command: $ sudo chown root /var/log/messages
+ CCI-001314
+ SRG-OS-000206-GPOS-00084
+ The /var/log/messages file contains logs of error messages in
+the system and should only be accessed by authorized personnel.
+
+
+
+chown 0 /var/log/messages
+
+ - name: Test for existence /var/log/messages
+ stat:
+ path: /var/log/messages
+ register: file_exists
+ tags:
+ - configure_strategy
+ - file_owner_var_log_messages
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner 0 on /var/log/messages
+ file:
+ path: /var/log/messages
+ owner: '0'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - configure_strategy
+ - file_owner_var_log_messages
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify User Who Owns /var/log/syslog File
+ To properly set the owner of /var/log/syslog, run the command: $ sudo chown syslog /var/log/syslog
+ CCI-001314
+ SRG-OS-000206-GPOS-00084
+ The /var/log/syslog file contains logs of error messages in
+the system and should only be accessed by authorized personnel.
+
+
+
+chown 104 /var/log/syslog
+
+ - name: Test for existence /var/log/syslog
+ stat:
+ path: /var/log/syslog
+ register: file_exists
+ tags:
+ - configure_strategy
+ - file_owner_var_log_syslog
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner 104 on /var/log/syslog
+ file:
+ path: /var/log/syslog
+ owner: '104'
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - configure_strategy
+ - file_owner_var_log_syslog
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Permissions on /var/log Directory
+
+To properly set the permissions of /var/log, run the command:
+$ sudo chmod 0755 /var/log
+ CCI-001314
+ SRG-OS-000206-GPOS-00084
+ The /var/log directory contains files with logs of error
+messages in the system and should only be accessed by authorized
+personnel.
+
+chmod 0755 /var/log/
+
+if grep -q "^z \/var\/log " /usr/lib/tmpfiles.d/00rsyslog.conf; then
+ sed -i --follow-symlinks "s/\(^z[[:space:]]\+\/var\/log[[:space:]]\+\)\(\([[:digit:]]\+\)[^ $]*\)/\10755/" /usr/lib/tmpfiles.d/00rsyslog.conf
+fi
+
+ - name: Set permissions for /var/log/
+ file:
+ path: /var/log/
+ state: directory
+ mode: u-s,g-ws,o-wt
+ tags:
+ - configure_strategy
+ - file_permissions_var_log
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Permissions on /var/log/messages File
+
+To properly set the permissions of /var/log/messages, run the command:
+$ sudo chmod 0640 /var/log/messages
+ CCI-001314
+ SRG-OS-000206-GPOS-00084
+ The /var/log/messages file contains logs of error messages in
+the system and should only be accessed by authorized personnel.
+
+
+
+
+chmod u-xs,g-xws,o-xwrt /var/log/messages
+
+ - name: Test for existence /var/log/messages
+ stat:
+ path: /var/log/messages
+ register: file_exists
+ tags:
+ - configure_strategy
+ - file_permissions_var_log_messages
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure permission u-xs,g-xws,o-xwrt on /var/log/messages
+ file:
+ path: /var/log/messages
+ mode: u-xs,g-xws,o-xwrt
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - configure_strategy
+ - file_permissions_var_log_messages
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify Permissions on /var/log/syslog File
+
+To properly set the permissions of /var/log/syslog, run the command:
+$ sudo chmod 0640 /var/log/syslog
+ CCI-001314
+ SRG-OS-000206-GPOS-00084
+ The /var/log/syslog file contains logs of error messages in
+the system and should only be accessed by authorized personnel.
+
+
+
+
+chmod u-xs,g-xws,o-xwrt /var/log/syslog
+
+ - name: Test for existence /var/log/syslog
+ stat:
+ path: /var/log/syslog
+ register: file_exists
+ tags:
+ - configure_strategy
+ - file_permissions_var_log_syslog
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure permission u-xs,g-xws,o-xwrt on /var/log/syslog
+ file:
+ path: /var/log/syslog
+ mode: u-xs,g-xws,o-xwrt
+ when: file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - configure_strategy
+ - file_permissions_var_log_syslog
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+
+ Verify File Permissions Within Some Important Directories
+ Some directories contain files whose confidentiality or integrity
+is notably important and may also be susceptible to misconfiguration over time, particularly if
+unpackaged software is installed. As such,
+an argument exists to verify that files' permissions within these directories remain
+configured correctly and restrictively.
+
+ Verify that System Executable Have Root Ownership
+ /bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+All these directories should be owned by the root user.
+If any directory DIR in these directories is found
+to be owned by a user other than root, correct its ownership with the
+following command:
+$ sudo chown root DIR
+ CCI-001495
+ SRG-OS-000258-GPOS-00099
+ System binaries are executed by privileged users as well as system services,
+and restrictive permissions are necessary to ensure that their
+execution of these programs cannot be co-opted.
+
+
+
+find -H /bin/ -type d -exec chown 0 {} \;
+
+find -H /sbin/ -type d -exec chown 0 {} \;
+
+find -H /usr/bin/ -type d -exec chown 0 {} \;
+
+find -H /usr/sbin/ -type d -exec chown 0 {} \;
+
+find -H /usr/local/bin/ -type d -exec chown 0 {} \;
+
+find -H /usr/local/sbin/ -type d -exec chown 0 {} \;
+
+ - name: Ensure owner on directory /bin/ recursively
+ file:
+ path: /bin/
+ state: directory
+ recurse: true
+ owner: '0'
+ tags:
+ - configure_strategy
+ - dir_ownership_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on directory /sbin/ recursively
+ file:
+ path: /sbin/
+ state: directory
+ recurse: true
+ owner: '0'
+ tags:
+ - configure_strategy
+ - dir_ownership_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on directory /usr/bin/ recursively
+ file:
+ path: /usr/bin/
+ state: directory
+ recurse: true
+ owner: '0'
+ tags:
+ - configure_strategy
+ - dir_ownership_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on directory /usr/sbin/ recursively
+ file:
+ path: /usr/sbin/
+ state: directory
+ recurse: true
+ owner: '0'
+ tags:
+ - configure_strategy
+ - dir_ownership_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on directory /usr/local/bin/ recursively
+ file:
+ path: /usr/local/bin/
+ state: directory
+ recurse: true
+ owner: '0'
+ tags:
+ - configure_strategy
+ - dir_ownership_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on directory /usr/local/sbin/ recursively
+ file:
+ path: /usr/local/sbin/
+ state: directory
+ recurse: true
+ owner: '0'
+ tags:
+ - configure_strategy
+ - dir_ownership_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify that Shared Library Directories Have Root Ownership
+ System-wide shared library files, which are linked to executables
+during process load time or run time, are stored in the following directories
+by default:
+/lib
+/lib64
+/usr/lib
+/usr/lib64
+
+Kernel modules, which can be added to the kernel during runtime, are also
+stored in /lib/modules. All files in these directories should be
+owned by the root user. If the directories, is found to be owned
+by a user other than root correct its
+ownership with the following command:
+$ sudo chown root DIR
+ CCI-001499
+ CM-5(6)
+ CM-5(6).1
+ SRG-OS-000259-GPOS-00100
+ Files from shared library directories are loaded into the address
+space of processes (including privileged ones) or of the kernel itself at
+runtime. Proper ownership of library directories is necessary to protect
+the integrity of the system.
+
+
+
+find -H /lib/ -type d -exec chown 0 {} \;
+
+find -H /lib64/ -type d -exec chown 0 {} \;
+
+find -H /usr/lib/ -type d -exec chown 0 {} \;
+
+find -H /usr/lib64/ -type d -exec chown 0 {} \;
+
+ - name: Ensure owner on directory /lib/ recursively
+ file:
+ path: /lib/
+ state: directory
+ recurse: true
+ owner: '0'
+ tags:
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - configure_strategy
+ - dir_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on directory /lib64/ recursively
+ file:
+ path: /lib64/
+ state: directory
+ recurse: true
+ owner: '0'
+ tags:
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - configure_strategy
+ - dir_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on directory /usr/lib/ recursively
+ file:
+ path: /usr/lib/
+ state: directory
+ recurse: true
+ owner: '0'
+ tags:
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - configure_strategy
+ - dir_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on directory /usr/lib64/ recursively
+ file:
+ path: /usr/lib64/
+ state: directory
+ recurse: true
+ owner: '0'
+ tags:
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - configure_strategy
+ - dir_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify that System Executable Directories Have Restrictive Permissions
+ System executables are stored in the following directories by default:
+/bin
+/sbin
+/usr/bin
+/usr/sbin
+/usr/local/bin
+/usr/local/sbin
+These directories should not be group-writable or world-writable.
+If any directory DIR in these directories is found to be
+group-writable or world-writable, correct its permission with the
+following command:
+$ sudo chmod go-w DIR
+ CCI-001495
+ SRG-OS-000258-GPOS-00099
+ System binaries are executed by privileged users, as well as system services,
+and restrictive permissions are necessary to ensure execution of these programs
+cannot be co-opted.
+
+
+
+
+find -H /bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
+
+find -H /sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
+
+find -H /usr/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
+
+find -H /usr/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
+
+find -H /usr/local/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
+
+find -H /usr/local/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
+
+ - name: Set permissions for /bin/ recursively
+ file:
+ path: /bin/
+ state: directory
+ recurse: true
+ mode: u-s,g-ws,o-wt
+ tags:
+ - configure_strategy
+ - dir_permissions_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for /sbin/ recursively
+ file:
+ path: /sbin/
+ state: directory
+ recurse: true
+ mode: u-s,g-ws,o-wt
+ tags:
+ - configure_strategy
+ - dir_permissions_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for /usr/bin/ recursively
+ file:
+ path: /usr/bin/
+ state: directory
+ recurse: true
+ mode: u-s,g-ws,o-wt
+ tags:
+ - configure_strategy
+ - dir_permissions_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for /usr/sbin/ recursively
+ file:
+ path: /usr/sbin/
+ state: directory
+ recurse: true
+ mode: u-s,g-ws,o-wt
+ tags:
+ - configure_strategy
+ - dir_permissions_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for /usr/local/bin/ recursively
+ file:
+ path: /usr/local/bin/
+ state: directory
+ recurse: true
+ mode: u-s,g-ws,o-wt
+ tags:
+ - configure_strategy
+ - dir_permissions_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for /usr/local/sbin/ recursively
+ file:
+ path: /usr/local/sbin/
+ state: directory
+ recurse: true
+ mode: u-s,g-ws,o-wt
+ tags:
+ - configure_strategy
+ - dir_permissions_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify that Shared Library Directories Have Restrictive Permissions
+ System-wide shared library directories, which contain are linked to executables
+during process load time or run time, are stored in the following directories
+by default:
+/lib
+/lib64
+/usr/lib
+/usr/lib64
+
+Kernel modules, which can be added to the kernel during runtime, are
+stored in /lib/modules. All sub-directories in these directories
+should not be group-writable or world-writable. If any file in these
+directories is found to be group-writable or world-writable, correct
+its permission with the following command:
+$ sudo chmod go-w DIR
+ CCI-001499
+ CIP-003-8 R6
+ CM-5
+ CM-5(6)
+ CM-5(6).1
+ SRG-OS-000259-GPOS-00100
+ If the operating system were to allow any user to make changes to software libraries,
+then those changes might be implemented without undergoing the appropriate testing
+and approvals that are part of a robust change management process.
+
+This requirement applies to operating systems with software libraries that are accessible
+and configurable, as in the case of interpreted languages. Software libraries also include
+privileged programs which execute with escalated privileges. Only qualified and authorized
+individuals must be allowed to obtain access to information system components for purposes
+of initiating changes, including upgrades and modifications.
+
+
+
+
+find -H /lib/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \;
+
+find -H /lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \;
+
+find -H /usr/lib/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \;
+
+find -H /usr/lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \;
+
+ - name: Set permissions for /lib/ recursively
+ file:
+ path: /lib/
+ state: directory
+ recurse: true
+ mode: g-w,o-w
+ tags:
+ - NIST-800-53-CM-5
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - configure_strategy
+ - dir_permissions_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for /lib64/ recursively
+ file:
+ path: /lib64/
+ state: directory
+ recurse: true
+ mode: g-w,o-w
+ tags:
+ - NIST-800-53-CM-5
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - configure_strategy
+ - dir_permissions_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for /usr/lib/ recursively
+ file:
+ path: /usr/lib/
+ state: directory
+ recurse: true
+ mode: g-w,o-w
+ tags:
+ - NIST-800-53-CM-5
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - configure_strategy
+ - dir_permissions_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for /usr/lib64/ recursively
+ file:
+ path: /usr/lib64/
+ state: directory
+ recurse: true
+ mode: g-w,o-w
+ tags:
+ - NIST-800-53-CM-5
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - configure_strategy
+ - dir_permissions_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify that System Executables Have Root Ownership
+ System executables are stored in the following directories by default:
+/bin
+/sbin
+/usr/bin
+/usr/libexec
+/usr/local/bin
+/usr/local/sbin
+/usr/sbin
+All files in these directories should be owned by the root user.
+If any file FILE in these directories is found
+to be owned by a user other than root, correct its ownership with the
+following command:
+$ sudo chown root FILE
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-001499
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-5(6)
+ CM-5(6).1
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ SRG-OS-000259-GPOS-00100
+ System binaries are executed by privileged users as well as system services,
+and restrictive permissions are necessary to ensure that their
+execution of these programs cannot be co-opted.
+
+
+
+
+
+
+
+
+ Verify that Shared Library Files Have Root Ownership
+ System-wide shared library files, which are linked to executables
+during process load time or run time, are stored in the following directories
+by default:
+/lib
+/lib64
+/usr/lib
+/usr/lib64
+
+Kernel modules, which can be added to the kernel during runtime, are also
+stored in /lib/modules. All files in these directories should be
+owned by the root user. If the directory, or any file in these
+directories, is found to be owned by a user other than root correct its
+ownership with the following command:
+$ sudo chown root FILE
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-001499
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-5(6)
+ CM-5(6).1
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ SRG-OS-000259-GPOS-00100
+ Files from shared library directories are loaded into the address
+space of processes (including privileged ones) or of the kernel itself at
+runtime. Proper ownership is necessary to protect the integrity of the system.
+
+
+
+find /lib/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
+
+find /lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
+
+find /usr/lib/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
+
+find /usr/lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \;
+
+ - name: Find /lib/ file(s) matching ^.*$ recursively
+ command: find -H /lib/ -type f ! -uid 0 -regex "^.*$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on /lib/ file(s) matching ^.*$
+ file:
+ path: '{{ item }}'
+ owner: '0'
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Find /lib64/ file(s) matching ^.*$ recursively
+ command: find -H /lib64/ -type f ! -uid 0 -regex "^.*$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on /lib64/ file(s) matching ^.*$
+ file:
+ path: '{{ item }}'
+ owner: '0'
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Find /usr/lib/ file(s) matching ^.*$ recursively
+ command: find -H /usr/lib/ -type f ! -uid 0 -regex "^.*$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on /usr/lib/ file(s) matching ^.*$
+ file:
+ path: '{{ item }}'
+ owner: '0'
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Find /usr/lib64/ file(s) matching ^.*$ recursively
+ command: find -H /usr/lib64/ -type f ! -uid 0 -regex "^.*$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on /usr/lib64/ file(s) matching ^.*$
+ file:
+ path: '{{ item }}'
+ owner: '0'
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Verify that System Executables Have Restrictive Permissions
+ System executables are stored in the following directories by default:
+/bin
+/sbin
+/usr/bin
+/usr/libexec
+/usr/local/bin
+/usr/local/sbin
+/usr/sbin
+All files in these directories should not be group-writable or world-writable.
+If any file FILE in these directories is found
+to be group-writable or world-writable, correct its permission with the
+following command:
+$ sudo chmod go-w FILE
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-001499
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-5(6)
+ CM-5(6).1
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ SRG-OS-000259-GPOS-00100
+ System binaries are executed by privileged users, as well as system services,
+and restrictive permissions are necessary to ensure execution of these programs
+cannot be co-opted.
+ DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec"
+for dirPath in $DIRS; do
+ find "$dirPath" -perm /022 -exec chmod go-w '{}' \;
+done
+
+
+
+
+
+
+
+
+
+ Verify that Shared Library Files Have Restrictive Permissions
+ System-wide shared library files, which are linked to executables
+during process load time or run time, are stored in the following directories
+by default:
+/lib
+/lib64
+/usr/lib
+/usr/lib64
+
+Kernel modules, which can be added to the kernel during runtime, are
+stored in /lib/modules. All files in these directories
+should not be group-writable or world-writable. If any file in these
+directories is found to be group-writable or world-writable, correct
+its permission with the following command:
+$ sudo chmod go-w FILE
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ CCI-001499
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ CM-5(6)
+ CM-5(6).1
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ SRG-OS-000259-GPOS-00100
+ Files from shared library directories are loaded into the address
+space of processes (including privileged ones) or of the kernel itself at
+runtime. Restrictive permissions are necessary to protect the integrity of the system.
+
+
+
+
+find -H /lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
+
+find -H /lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
+
+find -H /usr/lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
+
+find -H /usr/lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \;
+
+ - name: Find /lib/ file(s) recursively
+ command: find -H /lib/ -perm /g+w,o+w -type f -regex "^.*$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_permissions_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for /lib/ file(s)
+ file:
+ path: '{{ item }}'
+ mode: g-w,o-w
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_permissions_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Find /lib64/ file(s) recursively
+ command: find -H /lib64/ -perm /g+w,o+w -type f -regex "^.*$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_permissions_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for /lib64/ file(s)
+ file:
+ path: '{{ item }}'
+ mode: g-w,o-w
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_permissions_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Find /usr/lib/ file(s) recursively
+ command: find -H /usr/lib/ -perm /g+w,o+w -type f -regex "^.*$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_permissions_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for /usr/lib/ file(s)
+ file:
+ path: '{{ item }}'
+ mode: g-w,o-w
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_permissions_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Find /usr/lib64/ file(s) recursively
+ command: find -H /usr/lib64/ -perm /g+w,o+w -type f -regex "^.*$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_permissions_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for /usr/lib64/ file(s)
+ file:
+ path: '{{ item }}'
+ mode: g-w,o-w
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ tags:
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_permissions_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+
+
+ Restrict Dynamic Mounting and Unmounting of
+Filesystems
+ Linux includes a number of facilities for the automated addition
+and removal of filesystems on a running system. These facilities may be
+necessary in many environments, but this capability also carries some risk -- whether direct
+risk from allowing users to introduce arbitrary filesystems,
+or risk that software flaws in the automated mount facility itself could
+allow an attacker to compromise the system.
+
+This command can be used to list the types of filesystems that are
+available to the currently executing kernel:
+$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'
+If these filesystems are not required then they can be explicitly disabled
+in a configuratio file in /etc/modprobe.d.
+
+ Disable the Automounter
+ The autofs daemon mounts and unmounts filesystems, such as user
+home directories shared via NFS, on demand. In addition, autofs can be used to handle
+removable media, and the default configuration provides the cdrom device as /misc/cd.
+However, this method of providing access to removable media is not common, so autofs
+can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
+possible to configure filesystem mounts statically by editing /etc/fstab
+rather than relying on the automounter.
+
+
+The autofs service can be disabled with the following command:
+$ sudo systemctl mask --now autofs.service
+ 1
+ 12
+ 15
+ 16
+ 5
+ APO13.01
+ DSS01.04
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ 3.4.6
+ CCI-000366
+ CCI-000778
+ CCI-001958
+ 164.308(a)(3)(i)
+ 164.308(a)(3)(ii)(A)
+ 164.310(d)(1)
+ 164.310(d)(2)
+ 164.312(a)(1)
+ 164.312(a)(2)(iv)
+ 164.312(b)
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.6
+ A.11.2.6
+ A.13.1.1
+ A.13.2.1
+ A.18.1.4
+ A.6.2.1
+ A.6.2.2
+ A.7.1.1
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ MP-7
+ PR.AC-1
+ PR.AC-3
+ PR.AC-6
+ PR.AC-7
+ SRG-OS-000114-GPOS-00059
+ SRG-OS-000378-GPOS-00163
+ SRG-OS-000480-GPOS-00227
+ 1.1.21
+ Disabling the automounter permits the administrator to
+statically control filesystem mounting through /etc/fstab.
+
+Additionally, automatically mounting filesystems permits easy introduction of
+unknown devices, thereby facilitating malicious activity.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" stop 'autofs.service'
+"$SYSTEMCTL_EXEC" disable 'autofs.service'
+"$SYSTEMCTL_EXEC" mask 'autofs.service'
+# Disable socket activation if we have a unit file for it
+if "$SYSTEMCTL_EXEC" -q list-unit-files autofs.socket; then
+ "$SYSTEMCTL_EXEC" stop 'autofs.socket'
+ "$SYSTEMCTL_EXEC" mask 'autofs.socket'
+fi
+# The service may not be running because it has been started and failed,
+# so let's reset the state so OVAL checks pass.
+# Service should be 'inactive', not 'failed' after reboot though.
+"$SYSTEMCTL_EXEC" reset-failed 'autofs.service' || true
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable service autofs
+ block:
+
+ - name: Disable service autofs
+ systemd:
+ name: autofs.service
+ enabled: 'no'
+ state: stopped
+ masked: 'yes'
+ ignore_errors: 'yes'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_autofs_disabled
+
+- name: Unit Socket Exists - autofs.socket
+ command: systemctl list-unit-files autofs.socket
+ register: socket_file_exists
+ changed_when: false
+ ignore_errors: true
+ check_mode: false
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_autofs_disabled
+
+- name: Disable socket autofs
+ systemd:
+ name: autofs.socket
+ enabled: 'no'
+ state: stopped
+ masked: 'yes'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"autofs.socket" in socket_file_exists.stdout_lines[1]'
+ tags:
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_autofs_disabled
+
+ include disable_autofs
+
+class disable_autofs {
+ service {'autofs':
+ enable => false,
+ ensure => 'stopped',
+ }
+}
+
+
+[customizations.services]
+disabled = ["autofs"]
+
+
+
+
+
+
+
+
+
+ Disable Mounting of cramfs
+
+To configure the system to prevent the cramfs
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:
+install cramfs /bin/true
+
+This effectively prevents usage of this uncommon filesystem.
+
+The cramfs filesystem type is a compressed read-only
+Linux filesystem embedded in small footprint systems. A
+cramfs image can be used without having to first
+decompress the image.
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 3.4.6
+ CCI-000381
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ SRG-OS-000095-GPOS-00049
+ 1.1.1.1
+ Removing support for unneeded filesystem types reduces the local attack surface
+of the server.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then
+
+ sed -i 's#^install cramfs.*#install cramfs /bin/true#g' /etc/modprobe.d/cramfs.conf
+else
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf
+ echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure kernel module 'cramfs' is disabled
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/cramfs.conf
+ regexp: cramfs
+ line: install cramfs /bin/true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_cramfs_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+
+
+
+
+
+
+
+
+ Disable Mounting of freevxfs
+
+To configure the system to prevent the freevxfs
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/freevxfs.conf:
+install freevxfs /bin/true
+
+This effectively prevents usage of this uncommon filesystem.
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 3.4.6
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ Linux kernel modules which implement filesystems that are not needed by the
+local system should be disabled.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install freevxfs" /etc/modprobe.d/freevxfs.conf ; then
+
+ sed -i 's#^install freevxfs.*#install freevxfs /bin/true#g' /etc/modprobe.d/freevxfs.conf
+else
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/freevxfs.conf
+ echo "install freevxfs /bin/true" >> /etc/modprobe.d/freevxfs.conf
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure kernel module 'freevxfs' is disabled
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/freevxfs.conf
+ regexp: freevxfs
+ line: install freevxfs /bin/true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_freevxfs_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+
+
+
+
+
+ Disable Mounting of hfs
+
+To configure the system to prevent the hfs
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfs.conf:
+install hfs /bin/true
+
+This effectively prevents usage of this uncommon filesystem.
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 3.4.6
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ Linux kernel modules which implement filesystems that are not needed by the
+local system should be disabled.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install hfs" /etc/modprobe.d/hfs.conf ; then
+
+ sed -i 's#^install hfs.*#install hfs /bin/true#g' /etc/modprobe.d/hfs.conf
+else
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfs.conf
+ echo "install hfs /bin/true" >> /etc/modprobe.d/hfs.conf
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure kernel module 'hfs' is disabled
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/hfs.conf
+ regexp: hfs
+ line: install hfs /bin/true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_hfs_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+
+
+
+
+
+ Disable Mounting of hfsplus
+
+To configure the system to prevent the hfsplus
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfsplus.conf:
+install hfsplus /bin/true
+
+This effectively prevents usage of this uncommon filesystem.
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 3.4.6
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ Linux kernel modules which implement filesystems that are not needed by the
+local system should be disabled.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install hfsplus" /etc/modprobe.d/hfsplus.conf ; then
+
+ sed -i 's#^install hfsplus.*#install hfsplus /bin/true#g' /etc/modprobe.d/hfsplus.conf
+else
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfsplus.conf
+ echo "install hfsplus /bin/true" >> /etc/modprobe.d/hfsplus.conf
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure kernel module 'hfsplus' is disabled
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/hfsplus.conf
+ regexp: hfsplus
+ line: install hfsplus /bin/true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_hfsplus_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+
+
+
+
+
+ Disable Mounting of jffs2
+
+To configure the system to prevent the jffs2
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf:
+install jffs2 /bin/true
+
+This effectively prevents usage of this uncommon filesystem.
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 3.4.6
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ Linux kernel modules which implement filesystems that are not needed by the
+local system should be disabled.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install jffs2" /etc/modprobe.d/jffs2.conf ; then
+
+ sed -i 's#^install jffs2.*#install jffs2 /bin/true#g' /etc/modprobe.d/jffs2.conf
+else
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/jffs2.conf
+ echo "install jffs2 /bin/true" >> /etc/modprobe.d/jffs2.conf
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure kernel module 'jffs2' is disabled
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/jffs2.conf
+ regexp: jffs2
+ line: install jffs2 /bin/true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_jffs2_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+
+
+
+
+
+ Disable Mounting of udf
+
+To configure the system to prevent the udf
+kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf:
+install udf /bin/true
+
+This effectively prevents usage of this uncommon filesystem.
+
+The udf filesystem type is the universal disk format
+used to implement the ISO/IEC 13346 and ECMA-167 specifications.
+This is an open vendor filesystem type for data storage on a broad
+range of media. This filesystem type is neccessary to support
+writing DVDs and newer optical disc formats.
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 3.4.6
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ 1.1.1.6
+ Removing support for unneeded filesystem types reduces the local
+attack surface of the system.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install udf" /etc/modprobe.d/udf.conf ; then
+
+ sed -i 's#^install udf.*#install udf /bin/true#g' /etc/modprobe.d/udf.conf
+else
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/udf.conf
+ echo "install udf /bin/true" >> /etc/modprobe.d/udf.conf
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure kernel module 'udf' is disabled
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/udf.conf
+ regexp: udf
+ line: install udf /bin/true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_udf_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+
+
+
+
+
+
+ Restrict Partition Mount Options
+ System partitions can be mounted with certain options
+that limit what files on those partitions can do. These options
+are set in the /etc/fstab configuration file, and can be
+used to make certain types of malicious behavior more difficult.
+
+ Value for hidepid option
+ The hidepid mount option is applicable to /proc and is used to control who can access
+the information in /proc/[pid] directories. The option can have one of the following
+values:
+0: Everybody may access all /proc/[pid] directories.
+1: Users may not access files and subdirectories inside any /proc/[pid] directories
+ but their own. The /proc/[pid] directories themselves remain visible.
+2: Same as for mode 1, but in addition the /proc/[pid] directories belonging to other
+ users become invisible.
+ 0
+ 1
+ 2
+ 2
+
+
+ Removable Partition
+ This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions,
+and mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from
+removable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable
+partitions that are required on the local system.
+ /dev/cdrom
+
+
+ Add nodev Option to /dev/shm
+ The nodev mount option can be used to prevent creation of device
+files in /dev/shm. Legitimate character and block devices should
+not exist within temporary directories like /dev/shm.
+Add the nodev option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/dev/shm.
+ 11
+ 13
+ 14
+ 3
+ 8
+ 9
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS05.06
+ DSS06.06
+ CCI-001764
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.11.2.9
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.8.2.1
+ A.8.2.2
+ A.8.2.3
+ A.8.3.1
+ A.8.3.3
+ A.9.1.2
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ AC-6
+ AC-6(1)
+ MP-7
+ PR.IP-1
+ PR.PT-2
+ PR.PT-3
+ SRG-OS-000368-GPOS-00154
+ 1.1.14
+ The only legitimate location for device files is the /dev directory
+located on the root partition. The only exception to this is chroot jails.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+function perform_remediation {
+
+
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /dev/shm)"
+
+ # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+ if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ # runtime opts without some automatic kernel/userspace-added defaults
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
+ | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
+ [ "$previous_mount_opts" ] && previous_mount_opts+=","
+ echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
+ # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+ elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+ sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
+ fi
+
+
+ if mkdir -p "/dev/shm"; then
+ if mountpoint -q "/dev/shm"; then
+ mount -o remount --target "/dev/shm"
+ else
+ mount --target "/dev/shm"
+ fi
+ fi
+}
+
+perform_remediation
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint'
+ command: findmnt '/dev/shm'
+ register: device_name
+ failed_when: device_name.rc > 1
+ changed_when: false
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_nodev
+ - no_reboot_needed
+
+- name: 'Add nodev Option to /dev/shm: Create mount_info dictionary variable'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - '{{ device_name.stdout_lines[0].split() | list | lower }}'
+ - '{{ device_name.stdout_lines[1].split() | list }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - device_name.stdout is defined and device_name.stdout_lines is defined
+ - (device_name.stdout | length > 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_nodev
+ - no_reboot_needed
+
+- name: 'Add nodev Option to /dev/shm: If /dev/shm not mounted, craft mount_info manually'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - - target
+ - source
+ - fstype
+ - options
+ - - /dev/shm
+ - tmpfs
+ - tmpfs
+ - defaults
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ("" | length == 0)
+ - (device_name.stdout | length == 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_nodev
+ - no_reboot_needed
+
+- name: 'Add nodev Option to /dev/shm: Make sure nodev option is part of the to /dev/shm
+ options'
+ set_fact:
+ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
+ }) }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - mount_info is defined and "nodev" not in mount_info.options
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_nodev
+ - no_reboot_needed
+
+- name: 'Add nodev Option to /dev/shm: Ensure /dev/shm is mounted with nodev option'
+ mount:
+ path: /dev/shm
+ src: '{{ mount_info.source }}'
+ opts: '{{ mount_info.options }}'
+ state: mounted
+ fstype: '{{ mount_info.fstype }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
+ length == 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_nodev
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Add noexec Option to /dev/shm
+ The noexec mount option can be used to prevent binaries
+from being executed out of /dev/shm.
+It can be dangerous to allow the execution of binaries
+from world-writable temporary storage directories such as /dev/shm.
+Add the noexec option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/dev/shm.
+ 11
+ 13
+ 14
+ 3
+ 8
+ 9
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS05.06
+ DSS06.06
+ CCI-001764
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.11.2.9
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.8.2.1
+ A.8.2.2
+ A.8.2.3
+ A.8.3.1
+ A.8.3.3
+ A.9.1.2
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ AC-6
+ AC-6(1)
+ MP-7
+ PR.IP-1
+ PR.PT-2
+ PR.PT-3
+ SRG-OS-000368-GPOS-00154
+ 1.1.16
+ Allowing users to execute binaries from world-writable directories
+such as /dev/shm can expose the system to potential compromise.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+function perform_remediation {
+
+
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /dev/shm)"
+
+ # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+ if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ # runtime opts without some automatic kernel/userspace-added defaults
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
+ | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
+ [ "$previous_mount_opts" ] && previous_mount_opts+=","
+ echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
+ # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+ elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+ sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
+ fi
+
+
+ if mkdir -p "/dev/shm"; then
+ if mountpoint -q "/dev/shm"; then
+ mount -o remount --target "/dev/shm"
+ else
+ mount --target "/dev/shm"
+ fi
+ fi
+}
+
+perform_remediation
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint'
+ command: findmnt '/dev/shm'
+ register: device_name
+ failed_when: device_name.rc > 1
+ changed_when: false
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_noexec
+ - no_reboot_needed
+
+- name: 'Add noexec Option to /dev/shm: Create mount_info dictionary variable'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - '{{ device_name.stdout_lines[0].split() | list | lower }}'
+ - '{{ device_name.stdout_lines[1].split() | list }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - device_name.stdout is defined and device_name.stdout_lines is defined
+ - (device_name.stdout | length > 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_noexec
+ - no_reboot_needed
+
+- name: 'Add noexec Option to /dev/shm: If /dev/shm not mounted, craft mount_info
+ manually'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - - target
+ - source
+ - fstype
+ - options
+ - - /dev/shm
+ - tmpfs
+ - tmpfs
+ - defaults
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ("" | length == 0)
+ - (device_name.stdout | length == 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_noexec
+ - no_reboot_needed
+
+- name: 'Add noexec Option to /dev/shm: Make sure noexec option is part of the to
+ /dev/shm options'
+ set_fact:
+ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
+ }) }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - mount_info is defined and "noexec" not in mount_info.options
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_noexec
+ - no_reboot_needed
+
+- name: 'Add noexec Option to /dev/shm: Ensure /dev/shm is mounted with noexec option'
+ mount:
+ path: /dev/shm
+ src: '{{ mount_info.source }}'
+ opts: '{{ mount_info.options }}'
+ state: mounted
+ fstype: '{{ mount_info.fstype }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
+ length == 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_noexec
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Add nosuid Option to /dev/shm
+ The nosuid mount option can be used to prevent execution
+of setuid programs in /dev/shm. The SUID and SGID permissions should not
+be required in these world-writable directories.
+Add the nosuid option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/dev/shm.
+ 11
+ 13
+ 14
+ 3
+ 8
+ 9
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS05.06
+ DSS06.06
+ CCI-001764
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.11.2.9
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.8.2.1
+ A.8.2.2
+ A.8.2.3
+ A.8.3.1
+ A.8.3.3
+ A.9.1.2
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ AC-6
+ AC-6(1)
+ MP-7
+ PR.IP-1
+ PR.PT-2
+ PR.PT-3
+ SRG-OS-000368-GPOS-00154
+ 1.1.15
+ The presence of SUID and SGID executables should be tightly controlled. Users
+should not be able to execute SUID or SGID binaries from temporary storage partitions.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+function perform_remediation {
+
+
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /dev/shm)"
+
+ # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+ if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ # runtime opts without some automatic kernel/userspace-added defaults
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
+ | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+ [ "$previous_mount_opts" ] && previous_mount_opts+=","
+ echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+ # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+ elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+ sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+ fi
+
+
+ if mkdir -p "/dev/shm"; then
+ if mountpoint -q "/dev/shm"; then
+ mount -o remount --target "/dev/shm"
+ else
+ mount --target "/dev/shm"
+ fi
+ fi
+}
+
+perform_remediation
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint'
+ command: findmnt '/dev/shm'
+ register: device_name
+ failed_when: device_name.rc > 1
+ changed_when: false
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_nosuid
+ - no_reboot_needed
+
+- name: 'Add nosuid Option to /dev/shm: Create mount_info dictionary variable'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - '{{ device_name.stdout_lines[0].split() | list | lower }}'
+ - '{{ device_name.stdout_lines[1].split() | list }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - device_name.stdout is defined and device_name.stdout_lines is defined
+ - (device_name.stdout | length > 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_nosuid
+ - no_reboot_needed
+
+- name: 'Add nosuid Option to /dev/shm: If /dev/shm not mounted, craft mount_info
+ manually'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - - target
+ - source
+ - fstype
+ - options
+ - - /dev/shm
+ - tmpfs
+ - tmpfs
+ - defaults
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ("" | length == 0)
+ - (device_name.stdout | length == 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_nosuid
+ - no_reboot_needed
+
+- name: 'Add nosuid Option to /dev/shm: Make sure nosuid option is part of the to
+ /dev/shm options'
+ set_fact:
+ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
+ }) }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - mount_info is defined and "nosuid" not in mount_info.options
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_nosuid
+ - no_reboot_needed
+
+- name: 'Add nosuid Option to /dev/shm: Ensure /dev/shm is mounted with nosuid option'
+ mount:
+ path: /dev/shm
+ src: '{{ mount_info.source }}'
+ opts: '{{ mount_info.options }}'
+ state: mounted
+ fstype: '{{ mount_info.fstype }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" |
+ length == 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_dev_shm_nosuid
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Add nodev Option to /home
+ The nodev mount option can be used to prevent device files from
+being created in /home.
+Legitimate character and block devices should exist only in
+the /dev directory on the root partition or within chroot
+jails built for system services.
+Add the nodev option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/home.
+ BP28(R12)
+ SRG-OS-000368-GPOS-00154
+ 1.1.13
+ The only legitimate location for device files is the /dev directory
+located on the root partition. The only exception to this is chroot jails.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+function perform_remediation {
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/home")"
+
+ grep "$mount_point_match_regexp" -q /etc/fstab \
+ || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2;
+ echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
+
+
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /home)"
+
+ # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+ if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ # runtime opts without some automatic kernel/userspace-added defaults
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
+ | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
+ [ "$previous_mount_opts" ] && previous_mount_opts+=","
+ echo " /home defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
+ # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+ elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+ sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
+ fi
+
+
+ if mkdir -p "/home"; then
+ if mountpoint -q "/home"; then
+ mount -o remount --target "/home"
+ else
+ mount --target "/home"
+ fi
+ fi
+}
+
+perform_remediation
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: 'Add nodev Option to /home: Check information associated to mountpoint'
+ command: findmnt --fstab '/home'
+ register: device_name
+ failed_when: device_name.rc > 1
+ changed_when: false
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - mount_option_home_nodev
+ - no_reboot_needed
+ - unknown_severity
+
+- name: 'Add nodev Option to /home: Create mount_info dictionary variable'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - '{{ device_name.stdout_lines[0].split() | list | lower }}'
+ - '{{ device_name.stdout_lines[1].split() | list }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - device_name.stdout is defined and device_name.stdout_lines is defined
+ - (device_name.stdout | length > 0)
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - mount_option_home_nodev
+ - no_reboot_needed
+ - unknown_severity
+
+- name: 'Add nodev Option to /home: If /home not mounted, craft mount_info manually'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - - target
+ - source
+ - fstype
+ - options
+ - - /home
+ - ''
+ - ''
+ - defaults
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ("--fstab" | length == 0)
+ - (device_name.stdout | length == 0)
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - mount_option_home_nodev
+ - no_reboot_needed
+ - unknown_severity
+
+- name: 'Add nodev Option to /home: Make sure nodev option is part of the to /home
+ options'
+ set_fact:
+ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
+ }) }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - mount_info is defined and "nodev" not in mount_info.options
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - mount_option_home_nodev
+ - no_reboot_needed
+ - unknown_severity
+
+- name: 'Add nodev Option to /home: Ensure /home is mounted with nodev option'
+ mount:
+ path: /home
+ src: '{{ mount_info.source }}'
+ opts: '{{ mount_info.options }}'
+ state: mounted
+ fstype: '{{ mount_info.fstype }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
+ | length == 0)
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - mount_option_home_nodev
+ - no_reboot_needed
+ - unknown_severity
+
+
+
+
+
+
+
+
+
+ Add nodev Option to Removable Media Partitions
+ The nodev mount option prevents files from being
+interpreted as character or block devices.
+Legitimate character and block devices should exist only in
+the /dev directory on the root partition or within chroot
+jails built for system services.
+Add the nodev option to the fourth column of
+/etc/fstab for the line which controls mounting of
+
+ any removable media partitions.
+ 11
+ 12
+ 13
+ 14
+ 16
+ 3
+ 8
+ 9
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS01.04
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.06
+ DSS05.07
+ DSS06.03
+ DSS06.06
+ CCI-000366
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.11.2.6
+ A.11.2.9
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.13.1.1
+ A.13.2.1
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.6.2.1
+ A.6.2.2
+ A.7.1.1
+ A.8.2.1
+ A.8.2.2
+ A.8.2.3
+ A.8.3.1
+ A.8.3.3
+ A.9.1.2
+ A.9.2.1
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ AC-6
+ AC-6(1)
+ MP-7
+ PR.AC-3
+ PR.AC-6
+ PR.IP-1
+ PR.PT-2
+ PR.PT-3
+ SRG-OS-000480-GPOS-00227
+ 1.1.17
+ The only legitimate location for device files is the /dev directory
+located on the root partition. An exception to this is chroot jails, and it is
+not advised to set nodev on partitions which contain their root
+filesystems.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_removable_partition=''
+
+
+device_regex="^\s*$var_removable_partition\s\+"
+mount_option="nodev"
+
+if grep -q $device_regex /etc/fstab ; then
+ previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}')
+ sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab
+else
+ echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2
+ return 1
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: XCCDF Value var_removable_partition # promote to variable
+ set_fact:
+ var_removable_partition: !!str
+ tags:
+ - always
+
+- name: Ensure permission nodev are set on var_removable_partition
+ lineinfile:
+ path: /etc/fstab
+ regexp: ^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$
+ backrefs: true
+ line: \1 \2 \3 \4,nodev \5
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_nodev_removable_partitions
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+
+ Add noexec Option to Removable Media Partitions
+ The noexec mount option prevents the direct execution of binaries
+on the mounted filesystem. Preventing the direct execution of binaries from
+removable media (such as a USB key) provides a defense against malicious
+software that may be present on such untrusted media.
+Add the noexec option to the fourth column of
+/etc/fstab for the line which controls mounting of
+
+ any removable media partitions.
+ 11
+ 12
+ 13
+ 14
+ 16
+ 3
+ 8
+ 9
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS01.04
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.06
+ DSS05.07
+ DSS06.03
+ DSS06.06
+ CCI-000087
+ CCI-000366
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.11.2.6
+ A.11.2.9
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.13.1.1
+ A.13.2.1
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.6.2.1
+ A.6.2.2
+ A.7.1.1
+ A.8.2.1
+ A.8.2.2
+ A.8.2.3
+ A.8.3.1
+ A.8.3.3
+ A.9.1.2
+ A.9.2.1
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ AC-6
+ AC-6(1)
+ MP-7
+ PR.AC-3
+ PR.AC-6
+ PR.IP-1
+ PR.PT-2
+ PR.PT-3
+ SRG-OS-000480-GPOS-00227
+ 1.1.19
+ Allowing users to execute binaries from removable media such as USB keys exposes
+the system to potential compromise.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_removable_partition=''
+
+
+device_regex="^\s*$var_removable_partition\s\+"
+mount_option="noexec"
+
+if grep -q $device_regex /etc/fstab ; then
+ previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}')
+ sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab
+else
+ echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2
+ return 1
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: XCCDF Value var_removable_partition # promote to variable
+ set_fact:
+ var_removable_partition: !!str
+ tags:
+ - always
+
+- name: Ensure permission noexec are set on var_removable_partition
+ lineinfile:
+ path: /etc/fstab
+ regexp: ^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$
+ backrefs: true
+ line: \1 \2 \3 \4,noexec \5
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_noexec_removable_partitions
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+
+ Add nosuid Option to Removable Media Partitions
+ The nosuid mount option prevents set-user-identifier (SUID)
+and set-group-identifier (SGID) permissions from taking effect. These permissions
+allow users to execute binaries with the same permissions as the owner and group
+of the file respectively. Users should not be allowed to introduce SUID and SGID
+files into the system via partitions mounted from removeable media.
+Add the nosuid option to the fourth column of
+/etc/fstab for the line which controls mounting of
+
+ any removable media partitions.
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 8
+ 9
+ APO01.06
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS01.04
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.06
+ DSS05.07
+ DSS06.02
+ DSS06.03
+ DSS06.06
+ CCI-000366
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 5.2
+ SR 7.6
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.11.2.6
+ A.11.2.9
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.6.1.2
+ A.6.2.1
+ A.6.2.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.1
+ A.8.2.2
+ A.8.2.3
+ A.8.3.1
+ A.8.3.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ AC-6
+ AC-6(1)
+ MP-7
+ PR.AC-3
+ PR.AC-4
+ PR.AC-6
+ PR.DS-5
+ PR.IP-1
+ PR.PT-2
+ PR.PT-3
+ SRG-OS-000480-GPOS-00227
+ 1.1.18
+ The presence of SUID and SGID executables should be tightly controlled. Allowing
+users to introduce SUID or SGID binaries from partitions mounted off of
+removable media would allow them to introduce their own highly-privileged programs.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_removable_partition=''
+
+
+device_regex="^\s*$var_removable_partition\s\+"
+mount_option="nosuid"
+
+if grep -q $device_regex /etc/fstab ; then
+ previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}')
+ sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab
+else
+ echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2
+ return 1
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: XCCDF Value var_removable_partition # promote to variable
+ set_fact:
+ var_removable_partition: !!str
+ tags:
+ - always
+
+- name: Ensure permission nosuid are set on var_removable_partition
+ lineinfile:
+ path: /etc/fstab
+ regexp: ^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$
+ backrefs: true
+ line: \1 \2 \3 \4,nosuid \5
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_nosuid_removable_partitions
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+
+ Add nodev Option to /tmp
+ The nodev mount option can be used to prevent device files from
+being created in /tmp. Legitimate character and block devices
+should not exist within temporary directories like /tmp.
+Add the nodev option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/tmp.
+ BP28(R12)
+ 11
+ 13
+ 14
+ 3
+ 8
+ 9
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS05.06
+ DSS06.06
+ CCI-001764
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.11.2.9
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.8.2.1
+ A.8.2.2
+ A.8.2.3
+ A.8.3.1
+ A.8.3.3
+ A.9.1.2
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ AC-6
+ AC-6(1)
+ MP-7
+ PR.IP-1
+ PR.PT-2
+ PR.PT-3
+ SRG-OS-000368-GPOS-00154
+ 1.1.3
+ The only legitimate location for device files is the /dev directory
+located on the root partition. The only exception to this is chroot jails.
+
+ # Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null ); then
+
+function perform_remediation {
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/tmp")"
+
+ grep "$mount_point_match_regexp" -q /etc/fstab \
+ || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
+ echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; }
+
+
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /tmp)"
+
+ # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+ if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ # runtime opts without some automatic kernel/userspace-added defaults
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
+ | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
+ [ "$previous_mount_opts" ] && previous_mount_opts+=","
+ echo " /tmp defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
+ # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+ elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+ sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
+ fi
+
+
+ if mkdir -p "/tmp"; then
+ if mountpoint -q "/tmp"; then
+ mount -o remount --target "/tmp"
+ else
+ mount --target "/tmp"
+ fi
+ fi
+}
+
+perform_remediation
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: 'Add nodev Option to /tmp: Check information associated to mountpoint'
+ command: findmnt --fstab '/tmp'
+ register: device_name
+ failed_when: device_name.rc > 1
+ changed_when: false
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_tmp_nodev
+ - no_reboot_needed
+
+- name: 'Add nodev Option to /tmp: Create mount_info dictionary variable'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - '{{ device_name.stdout_lines[0].split() | list | lower }}'
+ - '{{ device_name.stdout_lines[1].split() | list }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - device_name.stdout is defined and device_name.stdout_lines is defined
+ - (device_name.stdout | length > 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_tmp_nodev
+ - no_reboot_needed
+
+- name: 'Add nodev Option to /tmp: If /tmp not mounted, craft mount_info manually'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - - target
+ - source
+ - fstype
+ - options
+ - - /tmp
+ - ''
+ - ''
+ - defaults
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ("--fstab" | length == 0)
+ - (device_name.stdout | length == 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_tmp_nodev
+ - no_reboot_needed
+
+- name: 'Add nodev Option to /tmp: Make sure nodev option is part of the to /tmp options'
+ set_fact:
+ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
+ }) }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - mount_info is defined and "nodev" not in mount_info.options
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_tmp_nodev
+ - no_reboot_needed
+
+- name: 'Add nodev Option to /tmp: Ensure /tmp is mounted with nodev option'
+ mount:
+ path: /tmp
+ src: '{{ mount_info.source }}'
+ opts: '{{ mount_info.options }}'
+ state: mounted
+ fstype: '{{ mount_info.fstype }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
+ | length == 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_tmp_nodev
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Add nosuid Option to /tmp
+ The nosuid mount option can be used to prevent
+execution of setuid programs in /tmp. The SUID and SGID permissions
+should not be required in these world-writable directories.
+Add the nosuid option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/tmp.
+ BP28(R12)
+ 11
+ 13
+ 14
+ 3
+ 8
+ 9
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS05.06
+ DSS06.06
+ CCI-001764
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.11.2.9
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.8.2.1
+ A.8.2.2
+ A.8.2.3
+ A.8.3.1
+ A.8.3.3
+ A.9.1.2
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ AC-6
+ AC-6(1)
+ MP-7
+ PR.IP-1
+ PR.PT-2
+ PR.PT-3
+ SRG-OS-000368-GPOS-00154
+ 1.1.4
+ The presence of SUID and SGID executables should be tightly controlled. Users
+should not be able to execute SUID or SGID binaries from temporary storage partitions.
+
+ # Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/tmp" > /dev/null ); then
+
+function perform_remediation {
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/tmp")"
+
+ grep "$mount_point_match_regexp" -q /etc/fstab \
+ || { echo "The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
+ echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; }
+
+
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /tmp)"
+
+ # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+ if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ # runtime opts without some automatic kernel/userspace-added defaults
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
+ | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+ [ "$previous_mount_opts" ] && previous_mount_opts+=","
+ echo " /tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+ # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+ elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+ sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+ fi
+
+
+ if mkdir -p "/tmp"; then
+ if mountpoint -q "/tmp"; then
+ mount -o remount --target "/tmp"
+ else
+ mount --target "/tmp"
+ fi
+ fi
+}
+
+perform_remediation
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: 'Add nosuid Option to /tmp: Check information associated to mountpoint'
+ command: findmnt --fstab '/tmp'
+ register: device_name
+ failed_when: device_name.rc > 1
+ changed_when: false
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_tmp_nosuid
+ - no_reboot_needed
+
+- name: 'Add nosuid Option to /tmp: Create mount_info dictionary variable'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - '{{ device_name.stdout_lines[0].split() | list | lower }}'
+ - '{{ device_name.stdout_lines[1].split() | list }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - device_name.stdout is defined and device_name.stdout_lines is defined
+ - (device_name.stdout | length > 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_tmp_nosuid
+ - no_reboot_needed
+
+- name: 'Add nosuid Option to /tmp: If /tmp not mounted, craft mount_info manually'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - - target
+ - source
+ - fstype
+ - options
+ - - /tmp
+ - ''
+ - ''
+ - defaults
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ("--fstab" | length == 0)
+ - (device_name.stdout | length == 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_tmp_nosuid
+ - no_reboot_needed
+
+- name: 'Add nosuid Option to /tmp: Make sure nosuid option is part of the to /tmp
+ options'
+ set_fact:
+ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
+ }) }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - mount_info is defined and "nosuid" not in mount_info.options
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_tmp_nosuid
+ - no_reboot_needed
+
+- name: 'Add nosuid Option to /tmp: Ensure /tmp is mounted with nosuid option'
+ mount:
+ path: /tmp
+ src: '{{ mount_info.source }}'
+ opts: '{{ mount_info.options }}'
+ state: mounted
+ fstype: '{{ mount_info.fstype }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
+ | length == 0)
+ tags:
+ - NIST-800-53-AC-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_tmp_nosuid
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Add nodev Option to /var/tmp
+ The nodev mount option can be used to prevent device files from
+being created in /var/tmp. Legitimate character and block devices
+should not exist within temporary directories like /var/tmp.
+Add the nodev option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/var/tmp.
+ BP28(R12)
+ CCI-001764
+ SRG-OS-000368-GPOS-00154
+ 1.1.7
+ The only legitimate location for device files is the /dev directory
+located on the root partition. The only exception to this is chroot jails.
+
+ # Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null ); then
+
+function perform_remediation {
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/tmp")"
+
+ grep "$mount_point_match_regexp" -q /etc/fstab \
+ || { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
+ echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; }
+
+
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/tmp)"
+
+ # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+ if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ # runtime opts without some automatic kernel/userspace-added defaults
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
+ | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
+ [ "$previous_mount_opts" ] && previous_mount_opts+=","
+ echo " /var/tmp defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
+ # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+ elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+ sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
+ fi
+
+
+ if mkdir -p "/var/tmp"; then
+ if mountpoint -q "/var/tmp"; then
+ mount -o remount --target "/var/tmp"
+ else
+ mount --target "/var/tmp"
+ fi
+ fi
+}
+
+perform_remediation
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: 'Add nodev Option to /var/tmp: Check information associated to mountpoint'
+ command: findmnt --fstab '/var/tmp'
+ register: device_name
+ failed_when: device_name.rc > 1
+ changed_when: false
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/var/tmp" in ansible_mounts | map(attribute="mount") | list
+ )
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_nodev
+ - no_reboot_needed
+
+- name: 'Add nodev Option to /var/tmp: Create mount_info dictionary variable'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - '{{ device_name.stdout_lines[0].split() | list | lower }}'
+ - '{{ device_name.stdout_lines[1].split() | list }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - device_name.stdout is defined and device_name.stdout_lines is defined
+ - (device_name.stdout | length > 0)
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_nodev
+ - no_reboot_needed
+
+- name: 'Add nodev Option to /var/tmp: If /var/tmp not mounted, craft mount_info manually'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - - target
+ - source
+ - fstype
+ - options
+ - - /var/tmp
+ - ''
+ - ''
+ - defaults
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ("--fstab" | length == 0)
+ - (device_name.stdout | length == 0)
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_nodev
+ - no_reboot_needed
+
+- name: 'Add nodev Option to /var/tmp: Make sure nodev option is part of the to /var/tmp
+ options'
+ set_fact:
+ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
+ }) }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - mount_info is defined and "nodev" not in mount_info.options
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_nodev
+ - no_reboot_needed
+
+- name: 'Add nodev Option to /var/tmp: Ensure /var/tmp is mounted with nodev option'
+ mount:
+ path: /var/tmp
+ src: '{{ mount_info.source }}'
+ opts: '{{ mount_info.options }}'
+ state: mounted
+ fstype: '{{ mount_info.fstype }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
+ | length == 0)
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_nodev
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Add noexec Option to /var/tmp
+ The noexec mount option can be used to prevent binaries
+from being executed out of /var/tmp.
+Add the noexec option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/var/tmp.
+ BP28(R12)
+ CCI-001764
+ SRG-OS-000368-GPOS-00154
+ 1.1.9
+ Allowing users to execute binaries from world-writable directories
+such as /var/tmp should never be necessary in normal operation and
+can expose the system to potential compromise.
+
+ # Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null ); then
+
+function perform_remediation {
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/tmp")"
+
+ grep "$mount_point_match_regexp" -q /etc/fstab \
+ || { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
+ echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; }
+
+
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/tmp)"
+
+ # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+ if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ # runtime opts without some automatic kernel/userspace-added defaults
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
+ | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
+ [ "$previous_mount_opts" ] && previous_mount_opts+=","
+ echo " /var/tmp defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
+ # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+ elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+ sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
+ fi
+
+
+ if mkdir -p "/var/tmp"; then
+ if mountpoint -q "/var/tmp"; then
+ mount -o remount --target "/var/tmp"
+ else
+ mount --target "/var/tmp"
+ fi
+ fi
+}
+
+perform_remediation
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: 'Add noexec Option to /var/tmp: Check information associated to mountpoint'
+ command: findmnt --fstab '/var/tmp'
+ register: device_name
+ failed_when: device_name.rc > 1
+ changed_when: false
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/var/tmp" in ansible_mounts | map(attribute="mount") | list
+ )
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_noexec
+ - no_reboot_needed
+
+- name: 'Add noexec Option to /var/tmp: Create mount_info dictionary variable'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - '{{ device_name.stdout_lines[0].split() | list | lower }}'
+ - '{{ device_name.stdout_lines[1].split() | list }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - device_name.stdout is defined and device_name.stdout_lines is defined
+ - (device_name.stdout | length > 0)
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_noexec
+ - no_reboot_needed
+
+- name: 'Add noexec Option to /var/tmp: If /var/tmp not mounted, craft mount_info
+ manually'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - - target
+ - source
+ - fstype
+ - options
+ - - /var/tmp
+ - ''
+ - ''
+ - defaults
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ("--fstab" | length == 0)
+ - (device_name.stdout | length == 0)
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_noexec
+ - no_reboot_needed
+
+- name: 'Add noexec Option to /var/tmp: Make sure noexec option is part of the to
+ /var/tmp options'
+ set_fact:
+ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
+ }) }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - mount_info is defined and "noexec" not in mount_info.options
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_noexec
+ - no_reboot_needed
+
+- name: 'Add noexec Option to /var/tmp: Ensure /var/tmp is mounted with noexec option'
+ mount:
+ path: /var/tmp
+ src: '{{ mount_info.source }}'
+ opts: '{{ mount_info.options }}'
+ state: mounted
+ fstype: '{{ mount_info.fstype }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
+ | length == 0)
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_noexec
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Add nosuid Option to /var/tmp
+ The nosuid mount option can be used to prevent
+execution of setuid programs in /var/tmp. The SUID and SGID permissions
+should not be required in these world-writable directories.
+Add the nosuid option to the fourth column of
+/etc/fstab for the line which controls mounting of
+/var/tmp.
+ BP28(R12)
+ CCI-001764
+ SRG-OS-000368-GPOS-00154
+ 1.1.8
+ The presence of SUID and SGID executables should be tightly controlled. Users
+should not be able to execute SUID or SGID binaries from temporary storage partitions.
+
+ # Remediation is applicable only in certain platforms
+if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null ); then
+
+function perform_remediation {
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/tmp")"
+
+ grep "$mount_point_match_regexp" -q /etc/fstab \
+ || { echo "The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options" >&2;
+ echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; }
+
+
+
+ mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/tmp)"
+
+ # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
+ if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
+ # runtime opts without some automatic kernel/userspace-added defaults
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \
+ | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
+ [ "$previous_mount_opts" ] && previous_mount_opts+=","
+ echo " /var/tmp defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
+ # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
+ elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
+ previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+ sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
+ fi
+
+
+ if mkdir -p "/var/tmp"; then
+ if mountpoint -q "/var/tmp"; then
+ mount -o remount --target "/var/tmp"
+ else
+ mount --target "/var/tmp"
+ fi
+ fi
+}
+
+perform_remediation
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: 'Add nosuid Option to /var/tmp: Check information associated to mountpoint'
+ command: findmnt --fstab '/var/tmp'
+ register: device_name
+ failed_when: device_name.rc > 1
+ changed_when: false
+ when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
+ "container"] and "/var/tmp" in ansible_mounts | map(attribute="mount") | list
+ )
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_nosuid
+ - no_reboot_needed
+
+- name: 'Add nosuid Option to /var/tmp: Create mount_info dictionary variable'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - '{{ device_name.stdout_lines[0].split() | list | lower }}'
+ - '{{ device_name.stdout_lines[1].split() | list }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - device_name.stdout is defined and device_name.stdout_lines is defined
+ - (device_name.stdout | length > 0)
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_nosuid
+ - no_reboot_needed
+
+- name: 'Add nosuid Option to /var/tmp: If /var/tmp not mounted, craft mount_info
+ manually'
+ set_fact:
+ mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
+ with_together:
+ - - target
+ - source
+ - fstype
+ - options
+ - - /var/tmp
+ - ''
+ - ''
+ - defaults
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - ("--fstab" | length == 0)
+ - (device_name.stdout | length == 0)
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_nosuid
+ - no_reboot_needed
+
+- name: 'Add nosuid Option to /var/tmp: Make sure nosuid option is part of the to
+ /var/tmp options'
+ set_fact:
+ mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
+ }) }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - mount_info is defined and "nosuid" not in mount_info.options
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_nosuid
+ - no_reboot_needed
+
+- name: 'Add nosuid Option to /var/tmp: Ensure /var/tmp is mounted with nosuid option'
+ mount:
+ path: /var/tmp
+ src: '{{ mount_info.source }}'
+ opts: '{{ mount_info.options }}'
+ state: mounted
+ fstype: '{{ mount_info.fstype }}'
+ when:
+ - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ and "/var/tmp" in ansible_mounts | map(attribute="mount") | list )
+ - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
+ | length == 0)
+ tags:
+ - configure_strategy
+ - high_disruption
+ - low_complexity
+ - medium_severity
+ - mount_option_var_tmp_nosuid
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+
+ Verify Permissions on Important Files and
+Directories Are Configured in /etc/permissions.local
+ Permissions for many files on a system must be set
+restrictively to ensure sensitive information is properly protected.
+This section discusses the /etc/permissions.local file, where
+expected permissions can be configured to be checked and fixed through
+usage of the chkstat command.
+
+
+ Restrict Programs from Dangerous Execution Patterns
+ The recommendations in this section are designed to
+ensure that the system's features to protect against potentially
+dangerous program execution are activated.
+These protections are applied at the system initialization or
+kernel level, and defend against certain types of badly-configured
+or compromised programs.
+
+ kernel.unprivileged_bpf_disabled
+ Prevent unprivileged processes from using the bpf() syscall.
+ 2
+ 1
+ 2
+
+
+ Disable the uvcvideo module
+ If the device contains a camera it should be covered or disabled when not in use.
+ CCI-000381
+ CM-7 (a)
+ CM-7 (5) (b)
+ SRG-OS-000095-GPOS-00049
+ SRG-OS-000370-GPOS-00155
+ Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information.
+Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if LC_ALL=C grep -q -m 1 "^install uvcvideo" /etc/modprobe.d/uvcvideo.conf ; then
+
+ sed -i 's#^install uvcvideo.*#install uvcvideo /bin/true#g' /etc/modprobe.d/uvcvideo.conf
+else
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/uvcvideo.conf
+ echo "install uvcvideo /bin/true" >> /etc/modprobe.d/uvcvideo.conf
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure kernel module 'uvcvideo' is disabled
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/uvcvideo.conf
+ regexp: uvcvideo
+ line: install uvcvideo /bin/true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-7 (5) (b)
+ - NIST-800-53-CM-7 (a)
+ - disable_strategy
+ - kernel_module_uvcvideo_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+
+
+
+
+
+
+
+
+ Kernel panic on oops
+ To set the runtime status of the kernel.panic_on_oops kernel parameter, run the following command: $ sudo sysctl -w kernel.panic_on_oops=1
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.panic_on_oops = 1
+ The system may start to panic when it normally wouldn't. A non-catastrophic error that
+would have allowed the system to continue operating will now result in a panic.
+ An attacker trying to exploit the kernel may trigger kernel OOPSes,
+panicking the system will impede them from continuing.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of kernel.panic_on_oops from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*kernel.panic_on_oops.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "kernel.panic_on_oops" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+
+#
+# Set runtime for kernel.panic_on_oops
+#
+/sbin/sysctl -q -n -w kernel.panic_on_oops="1"
+
+#
+# If kernel.panic_on_oops present in /etc/sysctl.conf, change value to "1"
+# else, add "kernel.panic_on_oops = 1" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.panic_on_oops")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.panic_on_oops\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^kernel.panic_on_oops\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*kernel.panic_on_oops.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_kernel_panic_on_oops
+
+- name: Comment out any occurrences of kernel.panic_on_oops from config files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*kernel.panic_on_oops
+ replace: '#kernel.panic_on_oops'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_kernel_panic_on_oops
+
+- name: Ensure sysctl kernel.panic_on_oops is set to 1
+ sysctl:
+ name: kernel.panic_on_oops
+ value: '1'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_kernel_panic_on_oops
+
+
+
+
+
+
+
+
+
+ Disable Core Dumps
+ A core dump file is the memory image of an executable
+program when it was terminated by the operating system due to
+errant behavior. In most cases, only software developers
+legitimately need to access these files. The core dump files may
+also contain sensitive information, or unnecessarily occupy large
+amounts of disk space.
+
+Once a hard limit is set in /etc/security/limits.conf, or
+to a file within the /etc/security/limits.d/ directory, a
+user cannot increase that limit within his or her own session. If access
+to core dumps is required, consider restricting them to only
+certain users or groups. See the limits.conf man page for more
+information.
+
+The core dumps of setuid programs are further protected. The
+sysctl variable fs.suid_dumpable controls whether
+the kernel allows core dumps from these programs at all. The default
+value of 0 is recommended.
+
+ Disable core dump backtraces
+ The ProcessSizeMax option in [Coredump] section
+of /etc/systemd/coredump.conf
+specifies the maximum size in bytes of a core which will be processed.
+Core dumps exceeding this size may be stored, but the backtrace will not
+be generated.
+ If the /etc/systemd/coredump.conf file
+does not already contain the [Coredump] section,
+the value will not be configured correctly.
+ CCI-000366
+ CM-6
+ FMT_SMF_EXT.1
+ SRG-OS-000480-GPOS-00227
+ A core dump includes a memory image taken at the time the operating system
+terminates an application. The memory image could contain sensitive data
+and is generally useful only for developers or system operators trying to
+debug problems.
+
+Enabling core dumps on production systems is not recommended,
+however there may be overriding operational requirements to enable advanced
+debuging. Permitting temporary enablement of core dumps during such situations
+should be reviewed through local needs and policy.
+ if [ -e "/etc/systemd/coredump.conf" ] ; then
+
+ LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf"
+else
+ touch "/etc/systemd/coredump.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/systemd/coredump.conf"
+
+cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf"
+# Clean up after ourselves.
+rm "/etc/systemd/coredump.conf.bak"
+
+ - name: Disable core dump backtraces
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/systemd/coredump.conf
+ create: false
+ regexp: ^\s*ProcessSizeMax\s*=\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/systemd/coredump.conf
+ lineinfile:
+ path: /etc/systemd/coredump.conf
+ create: false
+ regexp: ^\s*ProcessSizeMax\s*=\s*
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/systemd/coredump.conf
+ lineinfile:
+ path: /etc/systemd/coredump.conf
+ create: false
+ regexp: ^\s*ProcessSizeMax\s*=\s*
+ line: ProcessSizeMax=0
+ state: present
+ tags:
+ - NIST-800-53-CM-6
+ - coredump_disable_backtraces
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Disable storing core dump
+ The Storage option in [Coredump] section
+of /etc/systemd/coredump.conf
+can be set to none to disable storing core dumps permanently.
+ If the /etc/systemd/coredump.conf file
+does not already contain the [Coredump] section,
+the value will not be configured correctly.
+ CCI-000366
+ CM-6
+ FMT_SMF_EXT.1
+ SRG-OS-000480-GPOS-00227
+ A core dump includes a memory image taken at the time the operating system
+terminates an application. The memory image could contain sensitive data
+and is generally useful only for developers or system operators trying to
+debug problems. Enabling core dumps on production systems is not recommended,
+however there may be overriding operational requirements to enable advanced
+debuging. Permitting temporary enablement of core dumps during such situations
+should be reviewed through local needs and policy.
+ if [ -e "/etc/systemd/coredump.conf" ] ; then
+
+ LC_ALL=C sed -i "/^\s*Storage\s*=\s*/Id" "/etc/systemd/coredump.conf"
+else
+ touch "/etc/systemd/coredump.conf"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/systemd/coredump.conf"
+
+cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak"
+# Insert at the end of the file
+printf '%s\n' "Storage=none" >> "/etc/systemd/coredump.conf"
+# Clean up after ourselves.
+rm "/etc/systemd/coredump.conf.bak"
+
+ - name: Disable storing core dump
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/systemd/coredump.conf
+ create: false
+ regexp: ^\s*Storage\s*=\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/systemd/coredump.conf
+ lineinfile:
+ path: /etc/systemd/coredump.conf
+ create: false
+ regexp: ^\s*Storage\s*=\s*
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/systemd/coredump.conf
+ lineinfile:
+ path: /etc/systemd/coredump.conf
+ create: false
+ regexp: ^\s*Storage\s*=\s*
+ line: Storage=none
+ state: present
+ tags:
+ - NIST-800-53-CM-6
+ - coredump_disable_storage
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+ Disable Core Dumps for SUID programs
+ To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command: $ sudo sysctl -w fs.suid_dumpable=0
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.suid_dumpable = 0
+ BP28(R23)
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)
+ 164.308(a)(4)
+ 164.310(b)
+ 164.310(c)
+ 164.312(a)
+ 164.312(e)
+ SI-11(a)
+ SI-11(b)
+ The core dump of a setuid program is more likely to contain
+sensitive data, as the program itself runs with greater privileges than the
+user who initiated execution of the program. Disabling the ability for any
+setuid program to write a core file decreases the risk of unauthorized access
+of such data.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of fs.suid_dumpable from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*fs.suid_dumpable.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "fs.suid_dumpable" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+
+#
+# Set runtime for fs.suid_dumpable
+#
+/sbin/sysctl -q -n -w fs.suid_dumpable="0"
+
+#
+# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"
+# else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^fs.suid_dumpable")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "0"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^fs.suid_dumpable\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^fs.suid_dumpable\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*fs.suid_dumpable.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-SI-11(a)
+ - NIST-800-53-SI-11(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_fs_suid_dumpable
+
+- name: Comment out any occurrences of fs.suid_dumpable from config files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*fs.suid_dumpable
+ replace: '#fs.suid_dumpable'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-SI-11(a)
+ - NIST-800-53-SI-11(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_fs_suid_dumpable
+
+- name: Ensure sysctl fs.suid_dumpable is set to 0
+ sysctl:
+ name: fs.suid_dumpable
+ value: '0'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-SI-11(a)
+ - NIST-800-53-SI-11(b)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_fs_suid_dumpable
+
+
+
+
+
+
+
+
+
+
+ Daemon Umask
+ The umask is a per-process setting which limits
+the default permissions for creation of new files and directories.
+The system includes initialization scripts which set the default umask
+for system daemons.
+
+ daemon umask
+ Enter umask for daemons
+ 022
+ 027
+ 022
+
+
+
+ Enable ExecShield
+ ExecShield describes kernel features that provide
+protection against exploitation of memory corruption errors such as buffer
+overflows. These features include random placement of the stack and other
+memory regions, prevention of execution in memory that should only hold data,
+and special handling of text buffers. These protections are enabled by default
+on 32-bit systems and controlled through sysctl variables
+kernel.exec-shield and kernel.randomize_va_space. On the latest
+64-bit systems, kernel.exec-shield cannot be enabled or disabled with
+sysctl.
+
+ kernel.kptr_restrict
+ Configure exposition of kernel pointer addresses
+ 1
+ 1
+ 2
+
+
+ Restrict Exposed Kernel Pointer Addresses Access
+ To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict =
+ BP28(R23)
+ CCI-002824
+ CCI-000366
+ CIP-002-5 R1.1
+ CIP-002-5 R1.2
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 4.1
+ CIP-004-6 4.2
+ CIP-004-6 R2.2.3
+ CIP-004-6 R2.2.4
+ CIP-004-6 R2.3
+ CIP-004-6 R4
+ CIP-005-6 R1
+ CIP-005-6 R1.1
+ CIP-005-6 R1.2
+ CIP-007-3 R3
+ CIP-007-3 R3.1
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.2
+ CIP-007-3 R5.1.3
+ CIP-007-3 R5.2.1
+ CIP-007-3 R5.2.3
+ CIP-007-3 R8.4
+ CIP-009-6 R.1.1
+ CIP-009-6 R4
+ SC-30
+ SC-30(2)
+ SC-30(5)
+ CM-6(a)
+ SRG-OS-000132-GPOS-00067
+ SRG-OS-000433-GPOS-00192
+ SRG-OS-000480-GPOS-00227
+ Exposing kernel pointers (through procfs or seq_printf()) exposes kernel
+writeable structures which may contain functions pointers. If a write vulnerability
+occurs in the kernel, allowing write access to any of this structure, the kernel can
+be compromised. This option disallow any program without the CAP_SYSLOG capability
+to get the addresses of kernel pointers by replacing them with 0.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*kernel.kptr_restrict.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "kernel.kptr_restrict" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+sysctl_kernel_kptr_restrict_value=''
+
+
+#
+# Set runtime for kernel.kptr_restrict
+#
+/sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value"
+
+#
+# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value
+# else, add "kernel.kptr_restrict = value" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kptr_restrict")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_kernel_kptr_restrict_value"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.kptr_restrict\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^kernel.kptr_restrict\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*kernel.kptr_restrict.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-30
+ - NIST-800-53-SC-30(2)
+ - NIST-800-53-SC-30(5)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_kernel_kptr_restrict
+
+- name: Comment out any occurrences of kernel.kptr_restrict from config files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*kernel.kptr_restrict
+ replace: '#kernel.kptr_restrict'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-30
+ - NIST-800-53-SC-30(2)
+ - NIST-800-53-SC-30(5)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_kernel_kptr_restrict
+- name: XCCDF Value sysctl_kernel_kptr_restrict_value # promote to variable
+ set_fact:
+ sysctl_kernel_kptr_restrict_value: !!str
+ tags:
+ - always
+
+- name: Ensure sysctl kernel.kptr_restrict is set
+ sysctl:
+ name: kernel.kptr_restrict
+ value: '{{ sysctl_kernel_kptr_restrict_value }}'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-30
+ - NIST-800-53-SC-30(2)
+ - NIST-800-53-SC-30(5)
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_kernel_kptr_restrict
+
+
+
+
+
+
+
+
+
+
+ Enable Randomized Layout of Virtual Address Space
+ To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2
+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2
+ BP28(R23)
+ 3.1.7
+ CCI-000366
+ CCI-002824
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)
+ 164.308(a)(4)
+ 164.310(b)
+ 164.310(c)
+ 164.312(a)
+ 164.312(e)
+ CIP-002-5 R1.1
+ CIP-002-5 R1.2
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 4.1
+ CIP-004-6 4.2
+ CIP-004-6 R2.2.3
+ CIP-004-6 R2.2.4
+ CIP-004-6 R2.3
+ CIP-004-6 R4
+ CIP-005-6 R1
+ CIP-005-6 R1.1
+ CIP-005-6 R1.2
+ CIP-007-3 R3
+ CIP-007-3 R3.1
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.2
+ CIP-007-3 R5.1.3
+ CIP-007-3 R5.2.1
+ CIP-007-3 R5.2.3
+ CIP-007-3 R8.4
+ CIP-009-6 R.1.1
+ CIP-009-6 R4
+ SC-30
+ SC-30(2)
+ CM-6(a)
+ Req-2.2.1
+ SRG-OS-000433-GPOS-00193
+ SRG-OS-000480-GPOS-00227
+ Address space layout randomization (ASLR) makes it more difficult for an
+attacker to predict the location of attack code they have introduced into a
+process's address space during an attempt at exploitation. Additionally,
+ASLR makes it more difficult for an attacker to know the location of
+existing code in order to re-purpose it using return oriented programming
+(ROP) techniques.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*kernel.randomize_va_space.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "kernel.randomize_va_space" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+
+#
+# Set runtime for kernel.randomize_va_space
+#
+/sbin/sysctl -q -n -w kernel.randomize_va_space="2"
+
+#
+# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2"
+# else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.randomize_va_space")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s = %s" "$stripped_key" "2"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.randomize_va_space\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^kernel.randomize_va_space\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ - /usr/local/lib/sysctl.d/
+ - /usr/lib/sysctl.d/
+ contains: ^[\s]*kernel.randomize_va_space.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-30
+ - NIST-800-53-SC-30(2)
+ - PCI-DSS-Req-2.2.1
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_kernel_randomize_va_space
+
+- name: Comment out any occurrences of kernel.randomize_va_space from config files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*kernel.randomize_va_space
+ replace: '#kernel.randomize_va_space'
+ loop: '{{ find_sysctl_d.files }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-30
+ - NIST-800-53-SC-30(2)
+ - PCI-DSS-Req-2.2.1
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_kernel_randomize_va_space
+
+- name: Ensure sysctl kernel.randomize_va_space is set to 2
+ sysctl:
+ name: kernel.randomize_va_space
+ value: '2'
+ state: present
+ reload: true
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-30
+ - NIST-800-53-SC-30(2)
+ - PCI-DSS-Req-2.2.1
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_kernel_randomize_va_space
+
+
+
+
+
+
+
+
+
+
+ Enable Execute Disable (XD) or No Execute (NX) Support on
+x86 Systems
+ Recent processors in the x86 family support the
+ability to prevent code execution on a per memory page basis.
+Generically and on AMD processors, this ability is called No
+Execute (NX), while on Intel processors it is called Execute
+Disable (XD). This ability can help prevent exploitation of buffer
+overflow vulnerabilities and should be activated whenever possible.
+Extra steps must be taken to ensure that this protection is
+enabled, particularly on 32-bit x86 systems. Other processors, such
+as Itanium and POWER, have included such support since inception
+and the standard kernel for those platforms supports the
+feature. This is enabled by default on the latest Oracle Linux, Red Hat and
+Fedora systems if supported by the hardware.
+
+
+ Memory Poisoning
+ Memory Poisoning consists of writing a special value to uninitialized or freed memory.
+Poisoning can be used as a mechanism to prevent leak of information and detection of
+corrupted memory.
+
+
+ slub_debug - debug options
+ Defines the debug options to use in slub_debug kernel command line argument.
+ P
+ F
+ Z
+ P
+ FZ
+ FZP
+
+
+
+
+
+ SELinux
+ SELinux is a feature of the Linux kernel which can be
+used to guard against misconfigured or compromised programs.
+SELinux enforces the idea that programs should be limited in what
+files they can access and what actions they can take.
+
+The default SELinux policy, as configured on Ubuntu 18.04, has been
+sufficiently developed and debugged that it should be usable on
+almost any system with minimal configuration and a small
+amount of system administrator training. This policy prevents
+system services - including most of the common network-visible
+services such as mail servers, FTP servers, and DNS servers - from
+accessing files which those services have no valid reason to
+access. This action alone prevents a huge amount of possible damage
+from network attacks against services, from trojaned software, and
+so forth.
+
+This guide recommends that SELinux be enabled using the
+default (targeted) policy on every Ubuntu 18.04 system, unless that
+system has unusual requirements which make a stronger policy
+appropriate.
+
+
+ SELinux policy
+ Type of policy in use. Possible values are:
+targeted - Only targeted network daemons are protected.
+strict - Full SELinux protection.
+mls - Multiple levels of security
+ targeted
+ mls
+ targeted
+
+
+ SELinux state
+ enforcing - SELinux security policy is enforced.
+permissive - SELinux prints warnings instead of enforcing.
+disabled - SELinux is fully disabled.
+ enforcing
+ disabled
+ enforcing
+ permissive
+
+
+ Ensure SELinux State is Enforcing
+ The SELinux state should be set to at
+system boot time. In the file /etc/selinux/config, add or correct the
+following line to configure the system to boot into enforcing mode:
+SELINUX=
+ BP28(R4)
+ BP28(R66)
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 4
+ 5
+ 6
+ 8
+ 9
+ APO01.06
+ APO11.04
+ APO13.01
+ BAI03.05
+ DSS01.05
+ DSS03.01
+ DSS05.02
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS06.02
+ DSS06.03
+ DSS06.06
+ MEA02.01
+ 3.1.2
+ 3.7.2
+ CCI-001084
+ CCI-002165
+ CCI-002696
+ 164.308(a)(1)(ii)(D)
+ 164.308(a)(3)
+ 164.308(a)(4)
+ 164.310(b)
+ 164.310(c)
+ 164.312(a)
+ 164.312(e)
+ 4.2.3.4
+ 4.3.3.2.2
+ 4.3.3.3.9
+ 4.3.3.4
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ 4.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 2.8
+ SR 2.9
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 7.1
+ SR 7.6
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.12.1.1
+ A.12.1.2
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ A.13.1.1
+ A.13.1.2
+ A.13.1.3
+ A.13.2.1
+ A.13.2.2
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.2
+ CIP-003-8 R5.3
+ CIP-004-6 R2.2.3
+ CIP-004-6 R2.3
+ CIP-004-6 R3.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.2
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ CIP-007-3 R6.5
+ AC-3
+ AC-3(3)(a)
+ AU-9
+ SC-7(21)
+ DE.AE-1
+ ID.AM-3
+ PR.AC-4
+ PR.AC-5
+ PR.AC-6
+ PR.DS-5
+ PR.PT-1
+ PR.PT-3
+ PR.PT-4
+ SRG-OS-000445-GPOS-00199
+ SRG-OS-000134-GPOS-00068
+ SRG-OS-000445-VMM-001780
+ Setting the SELinux state to enforcing ensures SELinux is able to confine
+potentially compromised processes to the security policy, which is designed to
+prevent them from causing damage to the system or further elevating their
+privileges.
+
+
+
+
+
+
+
+
+
+ SELinux - Booleans
+ Enable or Disable runtime customization of SELinux system policies
+without having to reload or recompile the SELinux policy.
+
+ abrt_anon_write SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ abrt_handle_event SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ abrt_upload_watch_anon_write SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ antivirus_can_scan_system SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ antivirus_use_jit SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ auditadm_exec_content SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ authlogin_nsswitch_use_ldap SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ authlogin_radius SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ authlogin_yubikey SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ awstats_purge_apache_log_files SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ boinc_execmem SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ cdrecord_read_content SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ cluster_can_network_connect SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ cluster_manage_all_files SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ cluster_use_execmem SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ cobbler_anon_write SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ cobbler_can_network_connect SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ cobbler_use_cifs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ cobbler_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ collectd_tcp_network_connect SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ condor_tcp_network_connect SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ conman_can_network SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ container_connect_any SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ cron_can_relabel SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ cron_system_cronjob_use_shares SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ cron_userdomain_transition SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ cups_execmem SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ cvs_read_shadow SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ daemons_dump_core SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ daemons_enable_cluster_mode SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ daemons_use_tcp_wrapper SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ daemons_use_tty SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ dbadm_exec_content SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ dbadm_manage_user_files SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ dbadm_read_user_files SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ deny_execmem SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ deny_ptrace SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ dhcpc_exec_iptables SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ dhcpd_use_ldap SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ domain_fd_use SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ domain_kernel_load_modules SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ entropyd_use_audio SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ exim_can_connect_db SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ exim_manage_user_files SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ exim_read_user_files SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ fcron_crond SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ fenced_can_network_connect SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ fenced_can_ssh SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ fips_mode SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ ftpd_anon_write SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ ftpd_connect_all_unreserved SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ ftpd_connect_db SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ ftpd_full_access SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ ftpd_use_cifs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ ftpd_use_fusefs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ ftpd_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ ftpd_use_passive_mode SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ git_cgi_enable_homedirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ git_cgi_use_cifs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ git_cgi_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ git_session_bind_all_unreserved_ports SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ git_session_users SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ git_system_enable_homedirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ git_system_use_cifs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ git_system_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ gitosis_can_sendmail SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ glance_api_can_network SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ glance_use_execmem SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ glance_use_fusefs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ global_ssp SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ gluster_anon_write SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ gluster_export_all_ro SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ gluster_export_all_rw SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ gpg_web_anon_write SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ gssd_read_tmp SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ guest_exec_content SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ haproxy_connect_any SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_anon_write SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_builtin_scripting SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ httpd_can_check_spam SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_can_connect_ftp SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_can_connect_ldap SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_can_connect_mythtv SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_can_connect_zabbix SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_can_network_connect SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_can_network_connect_cobbler SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_can_network_connect_db SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_can_network_memcache SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_can_network_relay SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_can_sendmail SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_dbus_avahi SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_dbus_sssd SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_dontaudit_search_dirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_enable_cgi SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ httpd_enable_ftp_server SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_enable_homedirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_execmem SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_graceful_shutdown SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ httpd_manage_ipa SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_mod_auth_ntlm_winbind SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_mod_auth_pam SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_read_user_content SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_run_ipa SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_run_preupgrade SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_run_stickshift SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_serve_cobbler_files SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_setrlimit SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_ssi_exec SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_sys_script_anon_write SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_tmp_exec SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_tty_comm SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_unified SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_use_cifs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_use_fusefs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_use_gpg SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_use_openstack SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_use_sasl SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ httpd_verify_dns SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ icecast_use_any_tcp_ports SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ irc_use_any_tcp_ports SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+
+ kdumpgui_run_bootloader SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ kerberos_enabled SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ ksmtuned_use_cifs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ ksmtuned_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ logadm_exec_content SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ logging_syslogd_can_sendmail SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ logging_syslogd_run_nagios_plugins SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ logging_syslogd_use_tty SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ login_console_enabled SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ logrotate_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ logwatch_can_network_connect_mail SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ lsmd_plugin_connect_any SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mailman_use_fusefs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mcelog_client SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mcelog_exec_scripts SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ mcelog_foreground SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mcelog_server SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ minidlna_read_generic_user_content SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mmap_low_allowed SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mock_enable_homedirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mount_anyfile SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ mozilla_plugin_bind_unreserved_ports SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mozilla_plugin_can_network_connect SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mozilla_plugin_use_bluejeans SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mozilla_plugin_use_gps SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mozilla_plugin_use_spice SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mozilla_read_content SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mpd_enable_homedirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mpd_use_cifs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mpd_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mplayer_execstack SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ mysql_connect_any SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ nagios_run_pnp4nagios SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ nagios_run_sudo SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ named_tcp_bind_http_port SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ named_write_master_zones SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ neutron_can_network SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ nfs_export_all_ro SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ nfs_export_all_rw SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ nfsd_anon_write SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ nis_enabled SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ nscd_use_shm SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ openshift_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ openvpn_can_network_connect SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ openvpn_enable_homedirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ openvpn_run_unconfined SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ pcp_bind_all_unreserved_ports SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ pcp_read_generic_logs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ piranha_lvs_can_network_connect SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ polipo_connect_all_unreserved SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ polipo_session_bind_all_unreserved_ports SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ polipo_session_users SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ polipo_use_cifs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ polipo_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ polyinstantiation_enabled SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ postfix_local_write_mail_spool SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ postgresql_can_rsync SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ postgresql_selinux_transmit_client_label SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ postgresql_selinux_unconfined_dbadm SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ postgresql_selinux_users_ddl SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ pppd_can_insmod SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ pppd_for_user SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ privoxy_connect_any SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ prosody_bind_http_port SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ puppetagent_manage_all_files SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ puppetmaster_use_db SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ racoon_read_shadow SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ rsync_anon_write SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ rsync_client SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ rsync_export_all_ro SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ rsync_full_access SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ samba_create_home_dirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ samba_domain_controller SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ samba_enable_home_dirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ samba_export_all_ro SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ samba_export_all_rw SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ samba_load_libgfapi SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ samba_portmapper SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ samba_run_unconfined SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ samba_share_fusefs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ samba_share_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ sanlock_use_fusefs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ sanlock_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ sanlock_use_samba SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ saslauthd_read_shadow SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ secadm_exec_content SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ secure_mode SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ secure_mode_insmod SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ secure_mode_policyload SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ selinuxuser_direct_dri_enabled SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ selinuxuser_execheap SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ selinuxuser_execmod SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ selinuxuser_execstack SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ selinuxuser_mysql_connect_enabled SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ selinuxuser_ping SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ selinuxuser_postgresql_connect_enabled SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ selinuxuser_rw_noexattrfile SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ selinuxuser_share_music SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ selinuxuser_tcp_server SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ selinuxuser_udp_server SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ selinuxuser_use_ssh_chroot SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ sge_domain_can_network_connect SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ sge_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ smartmon_3ware SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ smbd_anon_write SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ spamassassin_can_network SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ spamd_enable_home_dirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ squid_connect_any SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ squid_use_tproxy SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ ssh_chroot_rw_homedirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ ssh_keysign SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ ssh_sysadm_login SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ staff_exec_content SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ staff_use_svirt SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ swift_can_network SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ sysadm_exec_content SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ telepathy_connect_all_ports SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ telepathy_tcp_connect_generic_network_ports SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ tftp_anon_write SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ tftp_home_dir SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ tmpreaper_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ tmpreaper_use_samba SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ tor_bind_all_unreserved_ports SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ tor_can_network_relay SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ unconfined_chrome_sandbox_transition SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ unconfined_login SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ unconfined_mozilla_plugin_transition SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ unprivuser_use_svirt SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ use_ecryptfs_home_dirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ use_fusefs_home_dirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ use_lpd_server SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ use_nfs_home_dirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ use_samba_home_dirs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ user_exec_content SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ varnishd_connect_any SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_read_qemu_ga_data SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_rw_qemu_ga_data SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_sandbox_use_all_caps SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ virt_sandbox_use_audit SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ virt_sandbox_use_mknod SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_sandbox_use_netlink SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_sandbox_use_sys_admin SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_transition_userdomain SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_use_comm SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_use_execmem SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_use_fusefs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_use_rawip SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_use_samba SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_use_sanlock SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ virt_use_usb SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ virt_use_xserver SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ webadm_manage_user_files SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ webadm_read_user_files SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ wine_mmap_zero_ignore SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ xdm_bind_vnc_tcp_port SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ xdm_exec_bootloader SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ xdm_sysadm_login SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ xdm_write_home SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ xen_use_nfs SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ xend_run_blktap SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ xend_run_qemu SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ xguest_connect_network SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ xguest_exec_content SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ xguest_mount_media SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ xguest_use_bluetooth SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ true
+ false
+ true
+
+
+ xserver_clients_write_xshm SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ xserver_execmem SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ xserver_object_manager SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ zabbix_can_network SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ zarafa_setrlimit SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ zebra_write_config SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ zoneminder_anon_write SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+ zoneminder_run_sudo SELinux Boolean
+ default - Default SELinux boolean setting.
+on - SELinux boolean is enabled.
+off - SELinux boolean is disabled.
+ false
+ false
+ true
+
+
+
+
+
+ Services
+ The best protection against vulnerable software is running less software. This section describes how to review
+the software which Ubuntu 18.04 installs on a system and disable software which is not needed. It
+then enumerates the software packages installed on a default Ubuntu 18.04 system and provides guidance about which
+ones can be safely disabled.
+
+Ubuntu 18.04 provides a convenient minimal install option that essentially installs the bare necessities for a functional
+system. When building Ubuntu 18.04 systems, it is highly recommended to select the minimal packages and then build up
+the system from there.
+
+ Apport Service
+ The Apport service provides debugging and crash reporting
+features on Ubuntu distributions.
+
+
+ APT service configuration
+ The apt service manage the package management and update of the whole system. Its configuration need to be properly defined to ensure efficient security updates, packages and repository authentication and proper lifecycle management.
+
+ Disable unauthenticated repositories in APT configuration
+ Unauthenticated repositories should not be used for updates.
+ BP28(R15)
+ Repositories hosts all packages that will be intsalled on the system during update.
+ If a repository is not authenticated, the associated packages can't be trusted,
+ and then should not be installed localy.
+
+
+
+
+
+
+ Avahi Server
+ The Avahi daemon implements the DNS Service Discovery
+and Multicast DNS protocols, which provide service and host
+discovery on a network. It allows a system to automatically
+identify resources on the network, such as printers or web servers.
+This capability is also known as mDNSresponder and is a major part
+of Zeroconf networking.
+
+ Configure Avahi if Necessary
+ If your system requires the Avahi daemon, its configuration can be restricted
+to improve security. The Avahi daemon configuration file is
+/etc/avahi/avahi-daemon.conf. The following security recommendations
+should be applied to this file:
+See the avahi-daemon.conf(5) man page, or documentation at
+
+ http://www.avahi.org, for more detailed information
+about the configuration options.
+
+ Disable Avahi Publishing
+ To prevent Avahi from publishing its records, edit /etc/avahi/avahi-daemon.conf
+and ensure the following line appears in the [publish] section:
+disable-publishing=yes
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ This helps ensure that no record will be published by Avahi.
+
+
+
+ Disable Avahi Server if Possible
+ Because the Avahi daemon service keeps an open network
+port, it is subject to network attacks.
+Disabling it can reduce the system's vulnerability to such attacks.
+
+
+
+ Base Services
+ This section addresses the base services that are installed on a
+Ubuntu 18.04 default installation which are not covered in other
+sections. Some of these services listen on the network and
+should be treated with particular discretion. Other services are local
+system utilities that may or may not be extraneous. In general, system services
+should be disabled if not required.
+
+
+ Cron and At Daemons
+ The cron and at services are used to allow commands to
+be executed at a later time. The cron service is required by almost
+all systems to perform necessary maintenance tasks, while at may or
+may not be required on a given system. Both daemons should be
+configured defensively.
+
+
+ Install the cron service
+ The Cron service should be installed.
+ BP28(R50)
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "cron"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure cron is installed
+ package:
+ name: cron
+ state: present
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_cron_installed
+
+ include install_cron
+
+class install_cron {
+ package { 'cron':
+ ensure => 'installed',
+ }
+}
+
+
+[[packages]]
+name = "cron"
+version = "*"
+
+
+
+
+
+
+ Enable cron Service
+ The crond service is used to execute commands at
+preconfigured times. It is required by almost all systems to perform necessary
+maintenance tasks, such as notifying root of system activity.
+
+The cron service can be enabled with the following command:
+$ sudo systemctl enable cron.service
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ Due to its usage for maintenance and security-supporting tasks,
+enabling the cron daemon is essential.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'cron.service'
+"$SYSTEMCTL_EXEC" start 'cron.service'
+"$SYSTEMCTL_EXEC" enable 'cron.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable service cron
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Enable service cron
+ service:
+ name: cron
+ enabled: 'yes'
+ state: started
+ masked: 'no'
+ when:
+ - '"cron" in ansible_facts.packages'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_cron_enabled
+
+ include enable_cron
+
+class enable_cron {
+ service {'cron':
+ enable => true,
+ ensure => 'running',
+ }
+}
+
+
+[customizations.services]
+enabled = ["cron"]
+
+
+
+
+
+
+
+
+
+ Restrict at and cron to Authorized Users if Necessary
+ The /etc/cron.allow and /etc/at.allow files contain lists of
+users who are allowed to use cron and at to delay execution of
+processes. If these files exist and if the corresponding files
+/etc/cron.deny and /etc/at.deny do not exist, then only users
+listed in the relevant allow files can run the crontab and at commands
+to submit jobs to be run at scheduled intervals. On many systems, only the
+system administrator needs the ability to schedule jobs. Note that even if a
+given user is not listed in cron.allow, cron jobs can still be run as
+that user. The cron.allow file controls only administrative access
+to the crontab command for scheduling and modifying cron jobs.
+
+
+To restrict at and cron to only authorized users:
+Remove the cron.deny file:$ sudo rm /etc/cron.denyEdit /etc/cron.allow, adding one line for each user allowed to use
+the crontab command to create cron jobs.Remove the at.deny file:$ sudo rm /etc/at.denyEdit /etc/at.allow, adding one line for each user allowed to use
+the at command to create at jobs.
+
+
+
+ Deprecated services
+ Some deprecated software services impact the overall system security due to their behavior (leak of
+confidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc.
+
+ Uninstall the inet-based telnet server
+ The inet-based telnet daemon should be uninstalled.
+ NT007(R03)
+ 11
+ 12
+ 14
+ 15
+ 3
+ 8
+ 9
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS01.04
+ DSS05.02
+ DSS05.03
+ DSS05.05
+ DSS06.06
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.6.2.1
+ A.6.2.2
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.AC-3
+ PR.IP-1
+ PR.PT-3
+ PR.PT-4
+ telnet allows clear text communications, and does not protect any
+data transmission between client and server. Any confidential data can be
+listened and no integrity checking is made.
+
+# CAUTION: This remediation script will remove inetutils-telnetd
+# from the system, and may remove any packages
+# that depend on inetutils-telnetd. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "inetutils-telnetd"
+
+ - name: Ensure inetutils-telnetd is removed
+ package:
+ name: inetutils-telnetd
+ state: absent
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - package_inetutils-telnetd_removed
+
+ include remove_inetutils-telnetd
+
+class remove_inetutils-telnetd {
+ package { 'inetutils-telnetd':
+ ensure => 'purged',
+ }
+}
+
+
+
+
+
+
+ Uninstall the nis package
+ The support for Yellowpages should not be installed unless it is required.
+ NIS is the historical SUN service for central account management, more and more replaced by LDAP.
+NIS does not support efficiently security constraints, ACL, etc. and should not be used.
+
+# CAUTION: This remediation script will remove nis
+# from the system, and may remove any packages
+# that depend on nis. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "nis"
+
+ - name: Ensure nis is removed
+ package:
+ name: nis
+ state: absent
+ tags:
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+ - package_nis_removed
+
+ include remove_nis
+
+class remove_nis {
+ package { 'nis':
+ ensure => 'purged',
+ }
+}
+
+
+
+
+
+
+ Uninstall the ntpdate package
+ ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.
+ ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP.
+
+# CAUTION: This remediation script will remove ntpdate
+# from the system, and may remove any packages
+# that depend on ntpdate. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "ntpdate"
+
+ - name: Ensure ntpdate is removed
+ package:
+ name: ntpdate
+ state: absent
+ tags:
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+ - package_ntpdate_removed
+
+ include remove_ntpdate
+
+class remove_ntpdate {
+ package { 'ntpdate':
+ ensure => 'purged',
+ }
+}
+
+
+
+
+
+
+ Uninstall the ssl compliant telnet server
+ The telnet daemon, even with ssl support, should be uninstalled.
+ NT007(R02)
+ 11
+ 12
+ 14
+ 15
+ 3
+ 8
+ 9
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS01.04
+ DSS05.02
+ DSS05.03
+ DSS05.05
+ DSS06.06
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.6.2.1
+ A.6.2.2
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.AC-3
+ PR.IP-1
+ PR.PT-3
+ PR.PT-4
+ telnet, even with ssl support, should not be installed.
+When remote shell is required, up-to-date ssh daemon can be used.
+
+# CAUTION: This remediation script will remove telnetd-ssl
+# from the system, and may remove any packages
+# that depend on telnetd-ssl. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "telnetd-ssl"
+
+ - name: Ensure telnetd-ssl is removed
+ package:
+ name: telnetd-ssl
+ state: absent
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - package_telnetd-ssl_removed
+
+ include remove_telnetd-ssl
+
+class remove_telnetd-ssl {
+ package { 'telnetd-ssl':
+ ensure => 'purged',
+ }
+}
+
+
+
+
+
+
+ Uninstall the telnet server
+ The telnet daemon should be uninstalled.
+ BP28(R1)
+ NT007(R03)
+ 11
+ 12
+ 14
+ 15
+ 3
+ 8
+ 9
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS01.04
+ DSS05.02
+ DSS05.03
+ DSS05.05
+ DSS06.06
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.6.2.1
+ A.6.2.2
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.AC-3
+ PR.IP-1
+ PR.PT-3
+ PR.PT-4
+ telnet allows clear text communications, and does not protect
+any data transmission between client and server. Any confidential data
+can be listened and no integrity checking is made.'
+
+# CAUTION: This remediation script will remove telnetd
+# from the system, and may remove any packages
+# that depend on telnetd. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "telnetd"
+
+ - name: Ensure telnetd is removed
+ package:
+ name: telnetd
+ state: absent
+ tags:
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - package_telnetd_removed
+
+ include remove_telnetd
+
+class remove_telnetd {
+ package { 'telnetd':
+ ensure => 'purged',
+ }
+}
+
+
+
+
+
+
+
+ DHCP
+ The Dynamic Host Configuration Protocol (DHCP) allows
+systems to request and obtain an IP address and other configuration
+parameters from a server.
+
+This guide recommends configuring networking on clients by manually editing
+the appropriate files under /etc/sysconfig. Use of DHCP can make client
+systems vulnerable to compromise by rogue DHCP servers, and should be avoided
+unless necessary. If using DHCP is necessary, however, there are best practices
+that should be followed to minimize security risk.
+
+ Configure DHCP Client if Necessary
+ If DHCP must be used, then certain configuration changes can
+minimize the amount of information it receives and applies from the network,
+and thus the amount of incorrect information a rogue DHCP server could
+successfully distribute. For more information on configuring dhclient, see the
+dhclient(8) and dhclient.conf(5) man pages.
+
+ Minimize the DHCP-Configured Options
+ Create the file /etc/dhcp/dhclient.conf, and add an
+appropriate setting for each of the ten configuration settings which can be
+obtained via DHCP. For each setting, do one of the following:
+
+If the setting should not be configured remotely by the DHCP server,
+select an appropriate static value, and add the line:
+supersede setting value;
+If the setting should be configured remotely by the DHCP server, add the lines:
+request setting;
+require setting;
+For example, suppose the DHCP server should provide only the IP address itself
+and the subnet mask. Then the entire file should look like:
+supersede domain-name "example.com";
+supersede domain-name-servers 192.168.1.2;
+supersede nis-domain "";
+supersede nis-servers "";
+supersede ntp-servers "ntp.example.com ";
+supersede routers 192.168.1.1;
+supersede time-offset -18000;
+request subnet-mask;
+require subnet-mask;
+ In this example, the options nis-servers and
+nis-domain are set to empty strings, on the assumption that the deprecated NIS
+protocol is not in use. It is necessary to supersede settings for unused
+services so that they cannot be set by a hostile DHCP server. If an option is
+set to an empty string, dhclient will typically not attempt to configure the
+service.
+ By default, the DHCP client program, dhclient, requests and applies
+ten configuration options (in addition to the IP address) from the DHCP server.
+subnet-mask, broadcast-address, time-offset, routers, domain-name,
+domain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers. Many
+of the options requested and applied by dhclient may be the same for every
+system on a network. It is recommended that almost all configuration options be
+assigned statically, and only options which must vary on a host-by-host basis
+be assigned via DHCP. This limits the damage which can be done by a rogue DHCP
+server. If appropriate for your site, it is also possible to supersede the
+host-name directive in /etc/dhcp/dhclient.conf, establishing a static
+hostname for the system. However, dhclient does not use the host name option
+provided by the DHCP server (instead using the value provided by a reverse DNS
+lookup).
+
+
+
+ Configure DHCP Server
+ If the system must act as a DHCP server, the configuration
+information it serves should be minimized. Also, support for other protocols
+and DNS-updating schemes should be explicitly disabled unless needed. The
+configuration file for dhcpd is called /etc/dhcp/dhcpd.conf. The file
+begins with a number of global configuration options. The remainder of the file
+is divided into sections, one for each block of addresses offered by dhcpd,
+each of which contains configuration options specific to that address
+block.
+
+ Minimize Served Information
+ Edit /etc/dhcp/dhcpd.conf. Examine each address range section within
+the file, and ensure that the following options are not defined unless there is
+an operational need to provide this information via DHCP:
+option domain-name
+option domain-name-servers
+option nis-domain
+option nis-servers
+option ntp-servers
+option routers
+option time-offset
+ By default, the Red Hat Enterprise Linux client installation uses DHCP
+to request much of the above information from the DHCP server. In particular,
+domain-name, domain-name-servers, and routers are configured via DHCP. These
+settings are typically necessary for proper network functionality, but are also
+usually static across systems at a given site.
+ 11
+ 14
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.05
+ DSS06.06
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ PR.PT-3
+ Because the configuration information provided by the DHCP server
+could be maliciously provided to clients by a rogue DHCP server, the amount of
+information provided via DHCP should be minimized. Remove these definitions
+from the DHCP server configuration to ensure that legitimate clients do not
+unnecessarily rely on DHCP for this information.
+
+
+
+ Disable DHCP Client
+ DHCP is the default network configuration method provided by the system
+installer, and common on many networks. Nevertheless, manual management
+of IP addresses for systems implies a greater degree of management and
+accountability for network activity.
+
+
+ Disable DHCP Server
+ The DHCP server dhcpd is not installed or activated by
+default. If the software was installed and activated, but the
+system does not need to act as a DHCP server, it should be disabled
+and removed.
+
+
+
+ DNS Server
+ Most organizations have an operational need to run at
+least one nameserver. However, there are many common attacks
+involving DNS server software, and this server software should
+be disabled on any system
+on which it is not needed.
+
+ Disable DNS Server
+ DNS software should be disabled on any systems which does not
+need to be a nameserver. Note that the BIND DNS server software is
+not installed on Ubuntu 18.04 by default. The remainder of this section
+discusses secure configuration of systems which must be
+nameservers.
+
+
+ Isolate DNS from Other Services
+ This section discusses mechanisms for preventing the DNS server
+from interfering with other services. This is done both to protect the
+remainder of the network should a nameserver be compromised, and to make direct
+attacks on nameservers more difficult.
+
+ Run DNS Software in a chroot Jail
+ Install the bind-chroot package:
+$ sudo yum install bind-chroot
+Place a valid named.conf file inside the chroot jail:
+$ sudo cp /etc/named.conf /var/named/chroot/etc/named.conf
+$ sudo chown root:root /var/named/chroot/etc/named.conf
+$ sudo chmod 644 /var/named/chroot/etc/named.conf
+Create and populate an appropriate zone directory within the jail, based on the
+options directive. If your named.conf includes:
+options {
+directory "/path/to/DIRNAME ";
+...
+}
+then copy that directory and its contents from the original zone directory:
+$ sudo cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME
+Add or correct the following line within /etc/sysconfig/named:
+ROOTDIR=/var/named/chroot
+ If you are running BIND in a chroot jail, then you
+should use the jailed named.conf as the primary nameserver
+configuration file. That is, when this guide recommends editing
+/etc/named.conf, you should instead edit
+/var/named/chroot/etc/named.conf.
+
+
+ Run DNS Software on Dedicated Servers
+ Since DNS is
+a high-risk service which must frequently be made available to the entire
+Internet, it is strongly recommended that no other services be offered by
+systems which act as organizational DNS servers.
+
+
+
+ Protect DNS Data from Tampering or Attack
+ This section discusses DNS configuration options which make it
+more difficult for attackers to gain access to private DNS data or to modify
+DNS data.
+
+ Use Views to Partition External and Internal Information
+ If it is not possible to run external and internal nameservers on
+separate physical systems, run BIND9 and simulate this feature using views.
+Edit /etc/named.conf. Add or correct the following directives (where
+SUBNET is the numerical IP representation of your organization in the form
+xxx.xxx.xxx.xxx/xx):
+acl internal {
+ SUBNET ;
+ localhost;
+};
+view "internal-view" {
+ match-clients { internal; };
+ zone "." IN {
+ type hint;
+ file "db.cache";
+ };
+ zone "internal.example.com " IN {
+ ...
+ };
+};
+
+view "external-view" {
+ match-clients { any; };
+ recursion no;
+ zone "example.com " IN {
+ ...
+ };
+};
+ As shown in the example, database files which are
+required for recursion, such as the root hints file, must be available to any
+clients which are allowed to make recursive queries. Under typical
+circumstances, this includes only the internal clients which are allowed to use
+this server as a general-purpose nameserver.
+
+
+ Run Separate DNS Servers for External and Internal Queries
+ Is it possible to run external and internal nameservers on
+separate systems? If so, follow the configuration guidance in this section. On
+the external nameserver, edit /etc/named.conf to add or correct the
+following directives:
+options {
+ allow-query { any; };
+ recursion no;
+ ...
+};
+zone "example.com " IN {
+ ...
+};
+On the internal nameserver, edit /etc/named.conf. Add or correct the
+following directives, where SUBNET is the numerical IP representation of your
+organization in the form xxx.xxx.xxx.xxx/xx:
+acl internal {
+ SUBNET ;
+ localhost;
+};
+options {
+ allow-query { internal; };
+ ...
+};
+zone "internal.example.com " IN {
+ ...
+};
+
+
+
+
+ Docker Service
+ The docker service is necessary to create containers, which are
+ self-sufficient and self-contained applications using the resource
+ isolation features of the kernel.
+
+
+ Application Whitelisting Daemon
+ Fapolicyd (File Access Policy Daemon) implements application whitelisting
+to decide file access rights. Applications that are known via a reputation
+source are allowed access while unknown applications are not. The daemon
+makes use of the kernel's fanotify interface to determine file access rights.
+
+
+ fapolicyd Must be Configured to Limit Access to Users Home Folders
+ fapolicyd needs be configured so that users cannot give access to their home folders to other users.
+ This rule is deprecated and there is no replacement at this time.
+Previous versions of this rule provided fixtext that would cause fapolicyd not to start.
+ CCI-000366
+ CM-6 b
+ SRG-OS-000480-GPOS-00230
+ Users' home directories/folders may contain information of a sensitive nature.
+Non-privileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources.
+fapolicyd can confine users to their home directory, not allowing them to make any changes outside of their own home directories.
+Confining users to their home directory will minimize the risk of sharing information.
+
+
+
+ FTP Server
+ FTP is a common method for allowing remote access to
+files. Like telnet, the FTP protocol is unencrypted, which means
+that passwords and other data transmitted during the session can be
+captured and that the session is vulnerable to hijacking.
+Therefore, running the FTP server software is not recommended.
+
+However, there are some FTP server configurations which may
+be appropriate for some environments, particularly those which
+allow only read-only anonymous access as a means of downloading
+data available to the public.
+
+ Disable vsftpd if Possible
+ To minimize attack surface, disable vsftpd if at all
+possible.
+
+
+ Configure vsftpd to Provide FTP Service if Necessary
+ The primary vsftpd configuration file is
+/etc/vsftpd.conf, if that file exists, or
+/etc/vsftpd/vsftpd.conf if it does not.
+
+ Configure Firewalls to Protect the FTP Server
+
+By default, iptables
+blocks access to the ports used by the web server.
+
+To configure iptables to allow port 21 traffic, one must edit
+/etc/sysconfig/iptables and
+/etc/sysconfig/ip6tables (if IPv6 is in use).
+Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:
+-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
+Edit the file /etc/sysconfig/iptables-config. Ensure that the space-separated list of modules contains
+the FTP connection tracking module:
+IPTABLES_MODULES="ip_conntrack_ftp"
+ These settings configure the firewall to allow connections to an FTP server.
+
+
+The first line allows initial connections to the FTP server port.
+FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client
+and server negotiate an arbitrary port to be used for data transfer. The ip_conntrack_ftp module is used by
+iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an
+FTP server to operate on a system which is running a firewall.
+
+
+ Restrict the Set of Users Allowed to Access FTP
+ This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to
+do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an
+identified need for this access.
+
+ Limit Users Allowed FTP Access if Necessary
+ If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:
+userlist_enable=YES
+userlist_file=/etc/vsftp.ftpusers
+userlist_deny=NO
+Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:
+USERNAME
+If anonymous access is also required, add the anonymous usernames to /etc/vsftp.ftpusers as well.
+anonymous
+ftp
+ Historically, the file /etc/ftpusers contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option userlist deny=NO is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified.
+
+
+
+
+ Use vsftpd to Provide FTP Service if Necessary
+ If your use-case requires FTP service, install and
+set-up vsftpd to provide it.
+
+
+
+ Web Server
+ The web server is responsible for providing access to
+content via the HTTP protocol. Web servers represent a significant
+security risk because:
+
+The HTTP port is commonly probed by malicious sourcesWeb server software is very complex, and includes a long
+history of vulnerabilitiesThe HTTP protocol is unencrypted and vulnerable to passive
+monitoring
+
+The system's default web server software is Apache 2 and is
+provided in the RPM package httpd.
+
+ Disable Apache if Possible
+ If Apache was installed and activated, but the system
+does not need to act as a web server, then it should be disabled
+and removed from the system.
+
+
+ Install Apache if Necessary
+ If httpd was not installed and activated, but the system
+needs to act as a web server, then it should be installed on the system. Follow these
+guidelines to install it defensively. The httpd package can be installed with
+the following command:
+$ sudo yum install httpd
+This method of installation is recommended over installing the "Web Server"
+package group during the system installation process. The Web Server package
+group includes many packages which are likely extraneous, while the
+command-line method installs only the required httpd package itself.
+
+ Confirm Minimal Built-in Modules Installed
+ The default httpd installation minimizes the number of
+modules that are compiled directly into the binary (core prefork http_core
+mod_so). This minimizes risk by limiting the capabilities allowed by the
+web server.
+
+Query the set of compiled-in modules using the following command:
+$ httpd -l
+If the number of compiled-in modules is significantly larger than the
+aforementioned set, this guide recommends re-installing httpd with a
+reduced configuration. Minimizing the number of modules that are compiled into
+the httpd binary, reduces risk by limiting the capabilities allowed by
+the webserver.
+
+
+
+ Secure Apache Configuration
+ The httpd configuration file is
+/etc/httpd/conf/httpd.conf. Apply the recommendations in the remainder
+of this section to this file.
+
+ HTTPD Log Level
+ The setting for LogLevel in /etc/httpd/conf/httpd.conf
+ alert
+ crit
+ warn
+ emerg
+ error
+ warn
+
+
+ Maximum KeepAlive Requests for HTTPD
+ The setting for MaxKeepAliveRequests in httpd.conf
+ 100
+ 1000
+ 10000
+ 100000
+ 500
+ 100
+
+
+ Configure Operating System to Protect Web Server
+ The following configuration steps should be taken on the system which hosts the
+web server, in order to provide as safe an environment as possible for the web server.
+
+ Run httpd in a chroot Jail if Practical
+ Running httpd inside a chroot jail is designed to isolate the
+web server process to a small section of the filesystem, limiting the damage if
+it is compromised. Versions of Apache greater than 2.2.10 (such as the one
+included with Ubuntu 18.04) provide the ChrootDir directive. To run Apache
+inside a chroot jail in /chroot/apache, add the following line to
+/etc/httpd/conf/httpd.conf: ChrootDir /chroot/apache This
+necessitates placing all files required by httpd inside
+/chroot/apache , including httpd's binaries, modules,
+configuration files, and served web pages. The details of this configuration
+are beyond the scope of this guide. This may also require additional SELinux
+configuration.
+
+
+ Restrict File and Directory Access
+ Minimize access to critical httpd files and directories.
+
+
+
+ Configure PERL Securely
+ PERL (Practical Extraction and Report Language) is an interpreted language
+optimized for scanning arbitrary text files, extracting information from those
+text files, and printing reports based on that information. The language is
+often used in shell scripting and is intended to be practical, easy to use, and
+efficient means of generating interactive web pages for the user.
+
+
+ Configure PHP Securely
+ PHP is a widely-used and often misconfigured server-side scripting language. It should
+be used with caution, but configured appropriately when needed.
+
+Review /etc/php.ini and make the following changes if possible:
+# Do not expose PHP error messages to external users
+display_errors = Off
+
+# Enable safe mode
+safe_mode = On
+
+# Only allow access to executables in isolated directory
+safe_mode_exec_dir = php-required-executables-path
+
+# Limit external access to PHP environment
+safe_mode_allowed_env_vars = PHP_
+
+# Restrict PHP information leakage
+expose_php = Off
+
+# Log all errors
+log_errors = On
+
+# Do not register globals for input data
+register_globals = Off
+
+# Minimize allowable PHP post size
+post_max_size = 1K
+
+# Ensure PHP redirects appropriately
+cgi.force_redirect = 0
+
+# Disallow uploading unless necessary
+file_uploads = Off
+
+# Disallow treatment of file requests as fopen calls
+allow_url_fopen = Off
+
+# Enable SQL safe mode
+sql.safe_mode = On
+
+
+
+ Directory Restrictions
+ The Directory tags in the web server configuration file allow finer grained access
+control for a specified directory. All web directories should be configured on a
+case-by-case basis, allowing access only where needed.
+
+
+ Minimize Web Server Loadable Modules
+ A default installation of httpd includes a plethora of dynamically shared objects (DSO)
+that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be
+disabled in the configuration file by removing the corresponding LoadModule directive.
+
+Note: A DSO only provides additional functionality if associated directives are included
+in the httpd configuration file. It should also be noted that removing a DSO will produce
+errors on httpd startup if the configuration file contains directives that apply to that
+module. Refer to http://httpd.apache.org/docs/ for details on which directives
+are associated with each DSO.
+
+Following each DSO removal, the configuration can be tested with the following command
+to check if everything still works:
+$ sudo service httpd configtest
+The purpose of each of the modules loaded by default will now be addressed one at a time.
+If none of a module's directives are being used, remove it.
+
+ httpd Core Modules
+ These modules comprise a basic subset of modules that are likely needed for base httpd
+functionality; ensure they are not commented out in /etc/httpd/conf/httpd.conf:
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule authn_default_module modules/mod_authn_default.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_default_module modules/mod_authz_default.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule logio_module modules/mod_logio.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule mime_module modules/mod_mome.so
+LoadModule autoindex_module modules/mod_autoindex.so
+LoadModule negotiation_module modules/mod_negotiation.so
+LoadModule dir_module modules/mod_dir.so
+LoadModule alias_module modules/mod_alias.so
+Minimizing the number of loadable modules available to the web server reduces risk
+by limiting the capabilities allowed by the web server.
+
+ Minimize Modules for HTTP Basic Authentication
+ The following modules are necessary if this web server will provide content that will
+be restricted by a password.
+
+Authentication can be performed using local plain text password files (authn_file),
+local DBM password files (authn_dbm) or an LDAP directory. The only module required by
+the web server depends on your choice of authentication. Comment out the modules you don't
+need from the following:
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authn_dbm_module modules/mod_authn_dbm.so
+authn_alias allows for authentication based on aliases. authn_anon
+allows anonymous authentication similar to that of anonymous ftp sites. authz_owner
+allows authorization based on file ownership. authz_dbm allows for authorization
+based on group membership if the web server is using DBM authentication.
+
+If the above functionality is unnecessary, comment out the related module:
+#LoadModule authn_alias_module modules/mod_authn_alias.so
+#LoadModule authn_anon_module modules/mod_authn_anon.so
+#LoadModule authz_owner_module modules/mod_authz_owner.so
+#LoadModule authz_dbm_module modules/mod_authz_dbm.so
+
+
+ Minimize Configuration Files Included
+ The Include directive directs httpd to load supplementary configuration files
+from a provided path. The default configuration loads all files that end in .conf
+from the /etc/httpd/conf.d directory.
+
+To restrict excess configuration, the following line should be commented out and
+replaced with Include directives that only reference required configuration files:
+#Include conf.d/*.conf
+If the above change was made, ensure that the SSL encryption remains loaded by
+explicitly including the corresponding configuration file:
+Include conf.d/ssl.conf
+If PHP is necessary, a similar alteration must be made:
+Include conf.d/php.conf
+
+Explicitly listing the configuration files to be loaded during web server start-up avoids
+the possibility of unwanted or malicious configuration files to be automatically included as
+part of the server's running configuration.
+
+
+ Minimize Various Optional Components
+ The following modules perform very specific tasks, sometimes providing access to
+just a few additional directives. If such functionality is not required (or if you
+are not using these directives), comment out the associated module:
+External filtering (response passed through external program prior to client delivery)
+#LoadModule ext_filter_module modules/mod_ext_filter.soUser-specified Cache Control and Expiration
+#LoadModule expires_module modules/mod_expires.soCompression Output Filter (provides content compression prior to client delivery)
+#LoadModule deflate_module modules/mod_deflate.soHTTP Response/Request Header Customization
+#LoadModule headers_module modules/mod_headers.soUser activity monitoring via cookies
+#LoadModule usertrack_module modules/mod_usertrack.soDynamically configured mass virtual hosting
+#LoadModule vhost_alias_module modules/mod_vhost_alias.so
+Minimizing the number of loadable modules available to the web server reduces risk
+by limiting the capabilities allowed by the web server.
+
+
+
+
+ Use Appropriate Modules to Improve httpd's Security
+ Among the modules available for httpd are several whose use may improve the
+security of the web server installation. This section recommends and discusses
+the deployment of security-relevant modules.
+
+ Deploy mod_security
+ The security module provides an application level firewall for httpd.
+Following its installation with the base ruleset, specific configuration advice can be found at
+
+ http://www.modsecurity.org/ to design a policy that best matches the security needs of
+the web applications. Usage of mod_security is highly recommended for some environments,
+but it should be noted this module does not ship with Red Hat Enterprise Linux itself,
+and instead is provided via Extra Packages for Enterprise Linux (EPEL).
+For more information on EPEL please refer to
+ http://fedoraproject.org/wiki/EPEL.
+
+
+ Deploy mod_ssl
+ Because HTTP is a plain text protocol, all traffic is susceptible to passive
+monitoring. If there is a need for confidentiality, SSL should be configured
+and enabled to encrypt content.
+
+Note: mod_nss is a FIPS 140-2 certified alternative to mod_ssl.
+The modules share a considerable amount of code and should be nearly identical
+in functionality. If FIPS 140-2 validation is required, then mod_nss should
+be used. If it provides some feature or its greater compatibility is required,
+then mod_ssl should be used.
+
+
+
+ Restrict Web Server Information Leakage
+ The ServerTokens and ServerSignature directives determine how
+much information the web server discloses about the configuration of the
+system.
+
+
+ Configure HTTPD-Served Web Content Securely
+ Running httpd inside a chroot jail is designed to isolate the
+web server process to a small section of the filesystem, limiting the damage if
+it is compromised. Versions of Apache greater than 2.2.10 (such as the one
+included with Red Hat Enterprise Linux 7) provide the ChrootDir directive. To run Apache
+inside a chroot jail in /chroot/apache, add the following line to
+/etc/httpd/conf/httpd.conf: ChrootDir /chroot/apache This
+necessitates placing all files required by httpd inside
+/chroot/apache , including httpd's binaries, modules,
+configuration files, and served web pages. The details of this configuration
+are beyond the scope of this guide. This may also require additional SELinux
+configuration.
+
+ Web Login Banner Verbiage
+ Enter an appropriate login banner for your organization. Please note that new lines must
+be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.
+ ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$
+ ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$
+ ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$
+ ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication\,[\s\n]+transmission\,[\s\n]+processing\,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems\,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations\,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity\,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes\,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information\,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user\,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use\,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$
+ ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$
+
+
+
+ Use Denial-of-Service Protection Modules
+ Denial-of-service attacks are difficult to detect and prevent while maintaining
+acceptable access to authorized users. However, some traffic-shaping
+modules can be used to address the problem. Well-known DoS protection modules include:
+mod_cband mod_bwshare mod_limitipconn mod_evasive
+Denial-of-service prevention should be implemented for a web server if such a threat exists.
+However, specific configuration details are very dependent on the environment and often best left
+at the discretion of the administrator.
+
+
+
+
+ IMAP and POP3 Server
+ Dovecot provides IMAP and POP3 services. It is not
+installed by default. The project page at
+ http://www.dovecot.org
+contains more detailed information about Dovecot
+configuration.
+
+ Configure Dovecot if Necessary
+ If the system will operate as an IMAP or
+POP3 server, the dovecot software should be configured securely by following
+the recommendations below.
+
+ Allow IMAP Clients to Access the Server
+
+The default iptables configuration does not allow inbound access to any services.
+This modification will allow remote hosts to initiate connections to the IMAP daemon,
+while keeping all other ports on the server in their default protected state.
+To configure iptables to allow port 143 traffic, one must edit
+/etc/sysconfig/iptables and
+/etc/sysconfig/ip6tables (if IPv6 is in use).
+Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:
+-A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
+
+
+ Enable SSL Support
+ SSL should be used to encrypt network traffic between the
+Dovecot server and its clients. Users must authenticate to the Dovecot
+server in order to read their mail, and passwords should never be
+transmitted in clear text. In addition, protecting mail as it is
+downloaded is a privacy measure, and clients may use SSL certificates
+to authenticate the server, preventing another system from impersonating
+the server.
+
+
+ Support Only the Necessary Protocols
+ Dovecot supports the IMAP and POP3 protocols, as well as
+SSL-protected versions of those protocols. Configure the Dovecot server
+to support only the protocols needed by your site. Edit /etc/dovecot/dovecot.conf.
+Add or correct the following lines, replacing PROTOCOL with
+only the subset of protocols (imap, imaps,
+pop3, pop3s) required:
+protocols = PROTOCOL
+If possible, require SSL protection for all transactions. The SSL
+protocol variants listen on alternate ports (995 instead of 110 for
+pop3s, and 993 instead of 143 for imaps), and require SSL-aware clients.
+An alternate approach is to listen on the standard port and require the
+client to use the STARTTLS command before authenticating.
+
+
+
+ Disable Dovecot
+ If the system does not need to operate as an IMAP or
+POP3 server, the dovecot software should be disabled and removed.
+
+
+
+ Kerberos
+ The Kerberos protocol is used for authentication across
+non-secure network. Authentication can happen between
+various types of principals -- users, service, or hosts.
+Their identity and encryption keys can be stored in keytab
+files.
+
+
+
+ LDAP
+ LDAP is a popular directory service, that is, a
+standardized way of looking up information from a central database.
+Ubuntu 18.04 includes software that enables a system to act as both
+an LDAP client and server.
+
+ Configure OpenLDAP Clients
+ This section provides information on which security settings are
+important to configure in OpenLDAP clients by manually editing the appropriate
+configuration files. Ubuntu 18.04 provides an automated configuration tool called
+authconfig and a graphical wrapper for authconfig called
+system-config-authentication. However, these tools do not provide as
+much control over configuration as manual editing of configuration files. The
+authconfig tools do not allow you to specify locations of SSL certificate
+files, which is useful when trying to use SSL cleanly across several protocols.
+Installation and configuration of OpenLDAP on Ubuntu 18.04 is available at
+ Before configuring any system to be an
+LDAP client, ensure that a working LDAP server is present on the
+network.
+
+
+ Configure OpenLDAP Server
+ This section details some security-relevant settings
+for an OpenLDAP server.
+
+ Install and Protect LDAP Certificate Files
+ Create the PKI directory for LDAP certificates if it does not already exist:
+$ sudo mkdir /etc/pki/tls/ldap
+$ sudo chown root:root /etc/pki/tls/ldap
+$ sudo chmod 755 /etc/pki/tls/ldap
+Using removable media or some other secure transmission format, install the certificate files
+onto the LDAP server:
+/etc/pki/tls/ldap/serverkey.pem: the private key ldapserverkey.pem/etc/pki/tls/ldap/servercert.pem: the certificate file ldapservercert.pem
+Verify the ownership and permissions of these files:
+$ sudo chown root:ldap /etc/pki/tls/ldap/serverkey.pem
+$ sudo chown root:ldap /etc/pki/tls/ldap/servercert.pem
+$ sudo chmod 640 /etc/pki/tls/ldap/serverkey.pem
+$ sudo chmod 640 /etc/pki/tls/ldap/servercert.pem
+Verify that the CA's public certificate file has been installed as
+/etc/pki/tls/CA/cacert.pem, and has the correct permissions:
+$ sudo mkdir /etc/pki/tls/CA
+$ sudo chown root:root /etc/pki/tls/CA/cacert.pem
+$ sudo chmod 644 /etc/pki/tls/CA/cacert.pem
+
+As a result of these steps, the LDAP server will have access to its own private
+certificate and the key with which that certificate is encrypted, and to the
+public certificate file belonging to the CA. Note that it would be possible for
+the key to be protected further, so that processes running as ldap could not
+read it. If this were done, the LDAP server process would need to be restarted
+manually whenever the server rebooted.
+
+
+
+
+ Mail Server Software
+ Mail servers are used to send and receive email over the network.
+Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious
+targets of network attack.
+Ensure that systems are not running MTAs unnecessarily,
+and configure needed MTAs as defensively as possible.
+
+Very few systems at any site should be configured to directly receive email over the
+network. Users should instead use mail client programs to retrieve email
+from a central server that supports protocols such as IMAP or POP3.
+However, it is normal for most systems to be independently capable of sending email,
+for instance so that cron jobs can report output to an administrator.
+Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from
+the local system to a central site MTA (or directly delivered to a local account),
+but the system still cannot receive mail directly over a network.
+
+The alternatives program in Ubuntu 18.04 permits selection of other mail server software
+(such as Sendmail), but Postfix is the default and is preferred.
+Postfix was coded with security in mind and can also be more effectively contained by
+SELinux as its modular design has resulted in separate processes performing specific actions.
+More information is available on its website,
+ http://www.postfix.org.
+
+
+ The Postfix package is installed
+ A mail server is required for sending emails.
+The postfix package can be installed with the following command:
+
+$ apt-get install postfix
+ SRG-OS-000046-GPOS-00022
+ Emails can be used to notify designated personnel about important
+system events such as failures or warnings.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "postfix"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure postfix is installed
+ package:
+ name: postfix
+ state: present
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_postfix_installed
+
+ include install_postfix
+
+class install_postfix {
+ package { 'postfix':
+ ensure => 'installed',
+ }
+}
+
+
+[[packages]]
+name = "postfix"
+version = "*"
+
+
+
+
+
+
+
+
+
+ Configure SMTP For Mail Clients
+ This section discusses settings for Postfix in a submission-only
+e-mail configuration.
+
+ Postfix Network Interfaces
+ The setting for inet_interfaces in /etc/postfix/main.cf
+ loopback-only
+ loopback-only
+ localhost
+
+
+ Postfix relayhost
+ Specify the host all outbound email should be routed into.
+ smtp.$mydomain
+
+
+ Postfix Root Mail Alias
+ Specify an email address (string) for a root mail alias.
+ system.administrator@mail.mil
+ system.administrator@mail.mil
+
+
+ Configure System to Forward All Mail For The Root Account
+ Make sure that mails delivered to root user are forwarded to a monitored
+email address. Make sure that the address
+ is a valid email address
+reachable from the system in question. Use the following command to
+configure the alias:
+$ sudo echo "root: " >> /etc/aliases
+$ sudo newaliases
+ BP28(R49)
+ CCI-000139
+ CCI-000366
+ CM-6(a)
+ SRG-OS-000046-GPOS-00022
+ A number of system services utilize email messages sent to the root user to
+notify system administrators of active or impending issues. These messages must
+be forwarded to at least one monitored email address.
+
+
+
+
+
+
+
+
+
+ Configure System to Forward All Mail From Postmaster to The Root Account
+ Verify the administrators are notified in the event of an audit processing failure.
+Check that the "/etc/aliases" file has a defined value for "root".
+$ sudo grep "postmaster:\s*root$" /etc/aliases
+
+postmaster: root
+ CCI-000139
+ AU-5(a)
+ AU-5.1(ii)
+ SRG-OS-000046-GPOS-00022
+ It is critical for the appropriate personnel to be aware if a system is at risk of failing to
+process audit logs as required. Without this notification, the security personnel may be
+unaware of an impending failure of the audit capability, and system operation may be adversely
+affected.
+
+Audit processing failures include software/hardware errors, failures in the audit capturing
+mechanisms, and audit storage capacity being reached or exceeded.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/aliases" ] ; then
+
+ LC_ALL=C sed -i "/^\s*postmaster\s*:\s*/Id" "/etc/aliases"
+else
+ touch "/etc/aliases"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/aliases"
+
+cp "/etc/aliases" "/etc/aliases.bak"
+# Insert at the end of the file
+printf '%s\n' "postmaster: root" >> "/etc/aliases"
+# Clean up after ourselves.
+rm "/etc/aliases.bak"
+
+if [ -f /usr/bin/newaliases ]; then
+ newaliases
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Configure System to Forward All Mail From Postmaster to The Root Account
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/aliases
+ create: false
+ regexp: ^\s*postmaster\s*:\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/aliases
+ lineinfile:
+ path: /etc/aliases
+ create: false
+ regexp: ^\s*postmaster\s*:\s*
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/aliases
+ lineinfile:
+ path: /etc/aliases
+ create: true
+ regexp: ^\s*postmaster\s*:\s*
+ line: 'postmaster: root'
+ state: present
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AU-5(a)
+ - NIST-800-53-AU-5.1(ii)
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - postfix_client_configure_mail_alias_postmaster
+
+- name: Check if newaliases command is available
+ ansible.builtin.stat:
+ path: /usr/bin/newaliases
+ register: result_newaliases_present
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AU-5(a)
+ - NIST-800-53-AU-5.1(ii)
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - postfix_client_configure_mail_alias_postmaster
+
+- name: Update postfix aliases
+ ansible.builtin.command:
+ cmd: newaliases
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - result_newaliases_present.stat.exists
+ tags:
+ - NIST-800-53-AU-5(a)
+ - NIST-800-53-AU-5.1(ii)
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - postfix_client_configure_mail_alias_postmaster
+
+
+
+
+
+
+
+
+
+ Configure System to Forward All Mail through a specific host
+ Set up a relay host that will act as a gateway for all outbound email.
+Edit the file /etc/postfix/main.cf to ensure that only the following
+relayhost line appears:
+relayhost =
+ A central outbound email location ensures messages sent from any network host
+can be audited for potential unexpected content. Tooling on the central server
+may help prevent spam or viruses from being delivered.
+
+
+
+
+
+
+
+ Configure Operating System to Protect Mail Server
+ The guidance in this section is appropriate for any host which is
+operating as a site MTA, whether the mail server runs using Sendmail, Postfix,
+or some other software.
+
+
+ Configure SSL Certificates for Use with SMTP AUTH
+ If SMTP AUTH is to be used, the use of SSL to protect credentials in transit is strongly recommended.
+There are also configurations for which it may be desirable to encrypt all mail in transit from one MTA to another,
+though such configurations are beyond the scope of this guide. In either event, the steps for creating and installing
+an SSL certificate are independent of the MTA in use, and are described here.
+
+ Ensure Security of Postfix SSL Certificate
+ Create the PKI directory for mail certificates, if it does not already exist:
+$ sudo mkdir /etc/pki/tls/mail
+$ sudo chown root:root /etc/pki/tls/mail
+$ sudo chmod 755 /etc/pki/tls/mail
+Using removable media or some other secure transmission format, install the files generated in the previous
+step onto the mail server:
+/etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem
+/etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem
+Verify the ownership and permissions of these files:
+$ sudo chown root:root /etc/pki/tls/mail/serverkey.pem
+$ sudo chown root:root /etc/pki/tls/mail/servercert.pem
+$ sudo chmod 600 /etc/pki/tls/mail/serverkey.pem
+$ sudo chmod 644 /etc/pki/tls/mail/servercert.pem
+Verify that the CA's public certificate file has been installed as /etc/pki/tls/CA/cacert.pem, and has the
+correct permissions:
+$ sudo chown root:root /etc/pki/tls/CA/cacert.pem
+$ sudo chmod 644 /etc/pki/tls/CA/cacert.pem
+
+
+
+ Configure Postfix if Necessary
+ Postfix stores its configuration files in the directory
+/etc/postfix by default. The primary configuration file is
+/etc/postfix/main.cf.
+
+ Configure Postfix Resource Usage to Limit Denial of Service Attacks
+ Edit /etc/postfix/main.cf. Edit the following lines to
+configure the amount of system resources Postfix can consume:
+default_process_limit = 100
+smtpd_client_connection_count_limit = 10
+smtpd_client_connection_rate_limit = 30
+queue_minfree = 20971520
+header_size_limit = 51200
+message_size_limit = 10485760
+smtpd_recipient_limit = 100
+The values here are examples.
+ Note: The values given here are examples, and may
+need to be modified for any particular site. By default, the Postfix anvil
+process gathers mail receipt statistics. To get information about about what
+connection rates are typical at your site, look in /var/log/maillog
+for lines with the daemon name postfix/anvil.
+
+
+ Control Mail Relaying
+ Postfix's mail relay controls are implemented with the help of the
+smtpd recipient restrictions option, which controls the restrictions placed on
+the SMTP dialogue once the sender and recipient envelope addresses are known.
+The guidance in the following sections should be applied to all systems. If
+there are systems which must be allowed to relay mail, but which cannot be
+trusted to relay unconditionally, configure SMTP AUTH with SSL support.
+
+ Enact SMTP Recipient Restrictions
+ To configure Postfix to restrict addresses to which it
+will send mail, see:
+
+ http://www.postfix.org/SMTPD_ACCESS_README.html#danger
+
+The full contents of smtpd_recipient_restrictions will
+vary by site, since this is a common place to put spam restrictions and other
+site-specific options. The permit_mynetworks option allows all mail to
+be relayed from the systems in mynetworks. Then, the
+reject_unauth_destination option denies all mail whose destination
+address is not local, preventing any other systems from relaying. These two
+options should always appear in this order, and should usually follow one
+another immediately unless SMTP AUTH is used.
+
+
+ Enact SMTP Relay Restrictions
+ To configure Postfix to restrict addresses to which it
+will send mail, see:
+
+ http://www.postfix.org/SMTPD_ACCESS_README.html#danger
+
+The full contents of smtpd_recipient_restrictions will
+vary by site, since this is a common place to put spam restrictions and other
+site-specific options. The permit_mynetworks option allows all mail to
+be relayed from the systems in mynetworks. Then, the
+reject_unauth_destination option denies all mail whose destination
+address is not local, preventing any other systems from relaying. These two
+options should always appear in this order, and should usually follow one
+another immediately unless SMTP AUTH is used.
+
+
+ Use TLS for SMTP AUTH
+ Postfix provides options to use TLS for certificate-based
+authentication and encrypted sessions. An encrypted session protects the
+information that is transmitted with SMTP mail or with SASL authentication.
+To configure Postfix to protect all SMTP AUTH transactions
+using TLS, see
+ http://www.postfix.org/TLS_README.html.
+
+
+ Configure Trusted Networks and Hosts
+ Edit /etc/postfix/main.cf, and configure the contents of
+the mynetworks variable in one of the following ways:
+If any system in the subnet containing the MTA may be trusted to relay
+messages, add or correct the following line:
+mynetworks_style = subnet
+This is also the default setting, and is in effect if all
+my_networks_style directives are commented.If only the MTA host itself is trusted to relay messages, add or correct
+the following line:
+mynetworks_style = hostIf the set of systems which can relay is more complicated, manually
+specify an entry for each netblock or IP address which is trusted to relay by
+setting the mynetworks variable directly:
+mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1
+
+
+ Require SMTP AUTH Before Relaying from Untrusted Clients
+ SMTP authentication allows remote clients to relay mail safely by
+requiring them to authenticate before submitting mail. Postfix's SMTP AUTH uses
+an authentication library called SASL, which is not part of Postfix itself. To
+enable the use of SASL authentication, see
+
+ http://www.postfix.org/SASL_README.html
+
+
+
+
+
+
+ NFS and RPC
+ The Network File System is a popular distributed filesystem for
+the Unix environment, and is very widely deployed. This section discusses the
+circumstances under which it is possible to disable NFS and its dependencies,
+and then details steps which should be taken to secure
+NFS's configuration. This section is relevant to systems operating as NFS
+clients, as well as to those operating as NFS servers.
+
+ Disable All NFS Services if Possible
+ If there is not a reason for the system to operate as either an
+NFS client or an NFS server, follow all instructions in this section to disable
+subsystems required by NFS.
+ The steps in this section will prevent a system
+from operating as either an NFS client or an NFS server. Only perform these
+steps on systems which do not need NFS at all.
+
+
+ Disable netfs if Possible
+ To determine if any network filesystems handled by netfs are
+currently mounted on the system execute the following command:
+$ mount -t nfs,nfs4,smbfs,cifs,ncpfs
+If the command did not return any output then disable netfs.
+
+ Disable Network File Systems (netfs)
+ The netfs script manages the boot-time mounting of several types
+of networked filesystems, of which NFS and Samba are the most common. If these
+filesystem types are not in use, the script can be disabled, protecting the
+system somewhat against accidental or malicious changes to /etc/fstab
+and against flaws in the netfs script itself.
+
+The netfs service can be disabled with the following command:
+$ sudo systemctl mask --now netfs.service
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" stop 'netfs.service'
+"$SYSTEMCTL_EXEC" disable 'netfs.service'
+"$SYSTEMCTL_EXEC" mask 'netfs.service'
+# Disable socket activation if we have a unit file for it
+if "$SYSTEMCTL_EXEC" -q list-unit-files netfs.socket; then
+ "$SYSTEMCTL_EXEC" stop 'netfs.socket'
+ "$SYSTEMCTL_EXEC" mask 'netfs.socket'
+fi
+# The service may not be running because it has been started and failed,
+# so let's reset the state so OVAL checks pass.
+# Service should be 'inactive', not 'failed' after reboot though.
+"$SYSTEMCTL_EXEC" reset-failed 'netfs.service' || true
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable service netfs
+ block:
+
+ - name: Disable service netfs
+ systemd:
+ name: netfs.service
+ enabled: 'no'
+ state: stopped
+ masked: 'yes'
+ ignore_errors: 'yes'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - service_netfs_disabled
+ - unknown_severity
+
+- name: Unit Socket Exists - netfs.socket
+ command: systemctl list-unit-files netfs.socket
+ register: socket_file_exists
+ changed_when: false
+ ignore_errors: true
+ check_mode: false
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - service_netfs_disabled
+ - unknown_severity
+
+- name: Disable socket netfs
+ systemd:
+ name: netfs.socket
+ enabled: 'no'
+ state: stopped
+ masked: 'yes'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"netfs.socket" in socket_file_exists.stdout_lines[1]'
+ tags:
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - service_netfs_disabled
+ - unknown_severity
+
+ include disable_netfs
+
+class disable_netfs {
+ service {'netfs':
+ enable => false,
+ ensure => 'stopped',
+ }
+}
+
+ apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+ config:
+ ignition:
+ version: 3.1.0
+ systemd:
+ units:
+ - name: netfs.service
+ enabled: false
+ mask: true
+ - name: netfs.socket
+ enabled: false
+ mask: true
+
+
+[customizations.services]
+disabled = ["netfs"]
+
+
+
+
+
+
+
+ Disable Services Used Only by NFS
+ If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd.
+
+All of these daemons run with elevated privileges, and many listen for network
+connections. If they are not needed, they should be disabled to improve system
+security posture.
+
+
+
+
+ Configure All Systems which Use NFS
+ The steps in this section are appropriate for all systems which
+run NFS, whether they operate as clients or as servers.
+
+ Make Each System a Client or a Server, not Both
+ If NFS must be used, it should be deployed in the simplest
+configuration possible to avoid maintainability problems which may lead to
+unnecessary security exposure. Due to the reliability and security problems
+caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for systems
+which act as NFS servers to also mount filesystems via NFS. At the least,
+crossed mounts (the situation in which each of two servers mounts a filesystem
+from the other) should never be used.
+
+
+ Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)
+ Firewalling should be done at each host and at the border
+firewalls to protect the NFS daemons from remote access, since NFS servers
+should never be accessible from outside the organization. However, by default
+for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port
+dynamically at service startup time. Dynamic ports cannot be protected by port
+
+filtering firewalls such as iptables.
+
+
+Therefore, restrict each service to always use a given port, so that
+firewalling can be done effectively. Note that, because of the way RPC is
+implemented, it is not possible to disable the RPC Bind service even if ports
+are assigned statically to all RPC services.
+
+In NFSv4, the mounting and locking protocols have been incorporated into the
+protocol, and the server listens on the the well-known TCP port 2049. As such,
+NFSv4 does not need to interact with the rpcbind, lockd, and rpc.statd
+daemons, which can and should be disabled in a pure NFSv4 environment. The
+rpc.mountd daemon is still required on the NFS server to setup
+exports, but is not involved in any over-the-wire operations.
+
+
+
+ Configure NFS Clients
+ The steps in this section are appropriate for systems which operate as NFS clients.
+
+ Disable NFS Server Daemons
+ There is no need to run the NFS server daemons nfs and
+rpcsvcgssd except on a small number of properly secured systems
+designated as NFS servers. Ensure that these daemons are turned off on
+clients.
+
+
+ Mount Remote Filesystems with Restrictive Options
+ Edit the file /etc/fstab. For each filesystem whose type
+(column 3) is nfs or nfs4, add the text
+,nodev,nosuid to the list of mount options in column 4. If
+appropriate, also add ,noexec.
+
+See the section titled "Restrict Partition Mount Options" for a description of
+the effects of these options. In general, execution of files mounted via NFS
+should be considered risky because of the possibility that an adversary could
+intercept the request and substitute a malicious file. Allowing setuid files to
+be executed from remote servers is particularly risky, both for this reason and
+because it requires the clients to extend root-level trust to the NFS
+server.
+
+
+
+
+ Configure NFS Servers
+ The steps in this section are appropriate for systems which operate as NFS servers.
+
+ Ensure All-Squashing Disabled On All Exports
+ The all_squash maps all uids and gids to an anonymous user.
+This should be disabled by removing any instances of the
+all_squash option from the file /etc/exports.
+ The all_squash option maps all client requests to a single anonymous
+uid/gid on the NFS server, negating the ability to track file access
+by user ID.
+
+
+
+
+
+ Configure the Exports File Restrictively
+ Linux's NFS implementation uses the file /etc/exports to control what filesystems
+and directories may be accessed via NFS. (See the exports(5) manpage for more information about the
+format of this file.)
+
+The syntax of the exports file is not necessarily checked fully on reload, and syntax errors
+can leave your NFS configuration more open than intended. Therefore, exercise caution when modifying
+the file.
+
+The syntax of each line in /etc/exports is:
+/DIR host1(opt1,opt2) host2(opt3)
+where /DIR is a directory or filesystem to export, hostN is an IP address, netblock,
+hostname, domain, or netgroup to which to export, and optN is an option.
+
+
+ Export Filesystems Read-Only if Possible
+ If a filesystem is being exported so that users can view the files in a convenient
+fashion, but there is no need for users to edit those files, exporting the filesystem read-only
+removes an attack vector against the server. The default filesystem export mode is ro,
+so do not specify rw without a good reason.
+
+
+ Use Access Lists to Enforce Authorization Restrictions
+ When configuring NFS exports, ensure that each export line in /etc/exports contains
+a list of hosts which are allowed to access that export. If no hosts are specified on an export line,
+then that export is available to any remote host which requests it. All lines of the exports file should
+specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that
+unknown or remote hosts will be denied.
+
+Authorized hosts can be specified in several different formats:
+Name or alias that is recognized by the resolverFully qualified domain nameIP addressIP subnets in the format address/netmask or address/CIDR
+
+
+
+
+ Network Time Protocol
+ The Network Time Protocol is used to manage the system
+clock over a network. Computer clocks are not very accurate, so
+time will drift unpredictably on unmanaged systems. Central time
+protocols can be used both to ensure that time is consistent among
+a network of systems, and that their time is consistent with the
+outside world.
+
+If every system on a network reliably reports the same time, then it is much
+easier to correlate log messages in case of an attack. In addition, a number of
+cryptographic protocols (such as Kerberos) use timestamps to prevent certain
+types of attacks. If your network does not have synchronized time, these
+protocols may be unreliable or even unusable.
+
+Depending on the specifics of the network, global time accuracy may be just as
+important as local synchronization, or not very important at all. If your
+network is connected to the Internet, using a public timeserver (or one
+provided by your enterprise) provides globally accurate timestamps which may be
+essential in investigating or responding to an attack which originated outside
+of your network.
+
+A typical network setup involves a small number of internal systems operating
+as NTP servers, and the remainder obtaining time information from those
+internal servers.
+
+There is a choice between the daemons ntpd and chronyd, which
+are available from the repositories in the ntp and chrony
+packages respectively.
+
+The default chronyd daemon can work well when external time references
+are only intermittently accesible, can perform well even when the network is
+congested for longer periods of time, can usually synchronize the clock faster
+and with better time accuracy, and quickly adapts to sudden changes in the rate
+of the clock, for example, due to changes in the temperature of the crystal
+oscillator. Chronyd should be considered for all systems which are
+frequently suspended or otherwise intermittently disconnected and reconnected
+to a network. Mobile and virtual systems for example.
+
+The ntpd NTP daemon fully supports NTP protocol version 4 (RFC 5905),
+including broadcast, multicast, manycast clients and servers, and the orphan
+mode. It also supports extra authentication schemes based on public-key
+cryptography (RFC 5906). The NTP daemon (ntpd) should be considered
+for systems which are normally kept permanently on. Systems which are required
+to use broadcast or multicast IP, or to perform authentication of packets with
+the Autokey protocol, should consider using ntpd.
+
+Refer to
+
+
+ https://help.ubuntu.com/lts/serverguide/NTP.html
+
+for more detailed comparison of features of chronyd
+and ntpd daemon features respectively, and for further guidance how to
+choose between the two NTP daemons.
+
+The upstream manual pages at
+ http://chrony.tuxfamily.org/manual.html for
+chronyd and
+ http://www.ntp.org for ntpd provide additional
+information on the capabilities and configuration of each of the NTP daemons.
+
+
+ Vendor Approved Time Servers
+ The list of vendor-approved time servers
+ 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
+ 0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org
+ 0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org
+ 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
+ 0.suse.pool.ntp.org,1.suse.pool.ntp.org,2.suse.pool.ntp.org,3.suse.pool.ntp.org
+ 0.ntp.cloud.aliyuncs.com,1.ntp.aliyun.com,2.ntp1.aliyun.com,3.ntp1.cloud.aliyuncs.com
+
+
+ Maximum NTP or Chrony Poll
+ The maximum NTP or Chrony poll interval number in seconds specified as a power of two.
+ 17
+ 16
+ 10
+ 10
+
+
+ The Chrony package is installed
+ System time should be synchronized between all systems in an environment. This is
+typically done by establishing an authoritative time server or set of servers and having all
+systems synchronize their clocks to them.
+The chrony package can be installed with the following command:
+
+$ apt-get install chrony
+ BP28(R43)
+ 0988
+ 1405
+ FMT_SMF_EXT.1
+ Req-10.6.1
+ SRG-OS-000355-GPOS-00143
+ Time synchronization is important to support time sensitive security mechanisms like
+Kerberos and also ensures log files have consistent time records across the enterprise,
+which aids in forensic investigations.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "chrony"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure chrony is installed
+ package:
+ name: chrony
+ state: present
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - PCI-DSS-Req-10.6.1
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_chrony_installed
+
+ include install_chrony
+
+class install_chrony {
+ package { 'chrony':
+ ensure => 'installed',
+ }
+}
+
+
+[[packages]]
+name = "chrony"
+version = "*"
+
+
+
+
+
+
+
+
+
+ Install the ntp service
+ The ntpd service should be installed.
+ NT012(R03)
+ 1
+ 14
+ 15
+ 16
+ 3
+ 5
+ 6
+ APO11.04
+ BAI03.05
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-000160
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ CM-6(a)
+ PR.PT-1
+ Req-10.4
+ Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "ntp"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure ntp is installed
+ package:
+ name: ntp
+ state: present
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4
+ - enable_strategy
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - package_ntp_installed
+
+ include install_ntp
+
+class install_ntp {
+ package { 'ntp':
+ ensure => 'installed',
+ }
+}
+
+
+[[packages]]
+name = "ntp"
+version = "*"
+
+
+
+
+
+
+
+
+
+ The Chronyd service is enabled
+ chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
+synchronize system clocks across a variety of systems and use a source that is highly
+accurate. More information on chrony can be found at
+
+ http://chrony.tuxfamily.org/.
+Chrony can be configured to be a client and/or a server.
+To enable Chronyd service, you can run:
+# systemctl enable chronyd.service
+This recommendation only applies if chrony is in use on the system.
+ 0988
+ 1405
+ SRG-OS-000355-GPOS-00143
+ If chrony is in use on the system proper configuration is vital to ensuring time
+synchronization is working properly.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'chronyd.service'
+"$SYSTEMCTL_EXEC" start 'chronyd.service'
+"$SYSTEMCTL_EXEC" enable 'chronyd.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable service chronyd
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Enable service chronyd
+ service:
+ name: chronyd
+ enabled: 'yes'
+ state: started
+ masked: 'no'
+ when:
+ - '"chrony" in ansible_facts.packages'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_chronyd_enabled
+
+ include enable_chronyd
+
+class enable_chronyd {
+ service {'chronyd':
+ enable => true,
+ ensure => 'running',
+ }
+}
+
+
+[customizations.services]
+enabled = ["chronyd"]
+
+
+
+
+
+
+
+
+
+ Enable the NTP Daemon
+
+The ntp service can be enabled with the following command:
+$ sudo systemctl enable ntp.service
+ NT012(R03)
+ 1
+ 14
+ 15
+ 16
+ 3
+ 5
+ 6
+ APO11.04
+ BAI03.05
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-000160
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ CM-6(a)
+ AU-8(1)(a)
+ PR.PT-1
+ Req-10.4
+ Enabling the ntp service ensures that the ntp
+service will be running and that the system will synchronize its time to
+any servers specified. This is important whether the system is configured to be
+a client (and synchronize only its own clock) or it is also acting as an NTP
+server to other systems. Synchronizing time is essential for authentication
+services such as Kerberos, but it is also important for maintaining accurate
+logs and auditing possible security breaches.
+
+The NTP daemon offers all of the functionality of ntpdate, which is now
+deprecated.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'ntp.service'
+"$SYSTEMCTL_EXEC" start 'ntp.service'
+"$SYSTEMCTL_EXEC" enable 'ntp.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable service ntp
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Enable service ntp
+ service:
+ name: ntp
+ enabled: 'yes'
+ state: started
+ masked: 'no'
+ when:
+ - '"ntp" in ansible_facts.packages'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AU-8(1)(a)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4
+ - enable_strategy
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - service_ntp_enabled
+
+ include enable_ntp
+
+class enable_ntp {
+ service {'ntp':
+ enable => true,
+ ensure => 'running',
+ }
+}
+
+
+[customizations.services]
+enabled = ["ntp"]
+
+
+
+
+
+
+
+
+
+ Enable the NTP Daemon
+
+The ntpd service can be enabled with the following command:
+$ sudo systemctl enable ntpd.service
+ 1
+ 14
+ 15
+ 16
+ 3
+ 5
+ 6
+ APO11.04
+ BAI03.05
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ CM-6(a)
+ AU-8(1)(a)
+ PR.PT-1
+ Req-10.4
+ Enabling the ntpd service ensures that the ntpd
+service will be running and that the system will synchronize its time to
+any servers specified. This is important whether the system is configured to be
+a client (and synchronize only its own clock) or it is also acting as an NTP
+server to other systems. Synchronizing time is essential for authentication
+services such as Kerberos, but it is also important for maintaining accurate
+logs and auditing possible security breaches.
+
+The NTP daemon offers all of the functionality of ntpdate, which is now
+deprecated.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'ntp' 2>/dev/null | grep -q installed; }; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'ntpd.service'
+"$SYSTEMCTL_EXEC" start 'ntpd.service'
+"$SYSTEMCTL_EXEC" enable 'ntpd.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-53-AU-8(1)(a)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_ntpd_enabled
+
+- name: Enable service ntpd
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Enable service ntpd
+ service:
+ name: ntpd
+ enabled: 'yes'
+ state: started
+ masked: 'no'
+ when:
+ - '"ntp" in ansible_facts.packages'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"ntp" in ansible_facts.packages'
+ tags:
+ - NIST-800-53-AU-8(1)(a)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - service_ntpd_enabled
+
+ include enable_ntpd
+
+class enable_ntpd {
+ service {'ntpd':
+ enable => true,
+ ensure => 'running',
+ }
+}
+
+
+[customizations.services]
+enabled = ["ntpd"]
+
+
+
+
+
+
+
+
+
+ Enable systemd_timesyncd Service
+
+The systemd_timesyncd service can be enabled with the following command:
+$ sudo systemctl enable systemd_timesyncd.service
+ NT012(R03)
+ 1
+ 14
+ 15
+ 16
+ 3
+ 5
+ 6
+ APO11.04
+ BAI03.05
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ CCI-000160
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ CM-6(a)
+ AU-8(1)(a)
+ PR.PT-1
+ Req-10.4
+ Enabling the systemd_timesyncd service ensures that this host
+uses the ntp protocol to fetch time data from a ntp server.
+Synchronizing time is essential for authentication
+services such as Kerberos, but it is also important for maintaining accurate
+logs and auditing possible security breaches.
+
+Additional information on Ubuntu network time protocol is
+available at
+
+ https://help.ubuntu.com/lts/serverguide/NTP.html.en.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" unmask 'systemd-timesyncd.service'
+"$SYSTEMCTL_EXEC" start 'systemd-timesyncd.service'
+"$SYSTEMCTL_EXEC" enable 'systemd-timesyncd.service'
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable service systemd-timesyncd
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Enable service systemd-timesyncd
+ service:
+ name: systemd-timesyncd
+ enabled: 'yes'
+ state: started
+ masked: 'no'
+ when:
+ - '"systemd" in ansible_facts.packages'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AU-8(1)(a)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4
+ - enable_strategy
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - service_timesyncd_enabled
+
+ include enable_systemd-timesyncd
+
+class enable_systemd-timesyncd {
+ service {'systemd-timesyncd':
+ enable => true,
+ ensure => 'running',
+ }
+}
+
+
+[customizations.services]
+enabled = ["systemd-timesyncd"]
+
+
+
+
+
+
+
+
+
+ Ensure Chrony is only configured with the server directive
+ Check that Chrony only has time sources configured with the server directive.
+ This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.
+ CCI-001891
+ SRG-OS-000355-GPOS-00143
+ SRG-OS-000356-GPOS-00144
+ SRG-OS-000359-GPOS-00146
+ Depending on the infrastruture being used the pool directive may not be supported.
+
+
+
+
+
+
+
+
+
+ A remote time server for Chrony is configured
+ Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
+synchronize system clocks across a variety of systems and use a source that is highly
+accurate. More information on chrony can be found at
+
+ http://chrony.tuxfamily.org/.
+Chrony can be configured to be a client and/or a server.
+Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate:
+server <remote-server>
+Multiple servers may be configured.
+ BP28(R43)
+ CCI-000160
+ CCI-001891
+ 0988
+ 1405
+ CM-6(a)
+ AU-8(1)(a)
+ Req-10.4.3
+ If chrony is in use on the system proper configuration is vital to ensuring time
+synchronization is working properly.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\n' 'chrony' 2>/dev/null | grep -q installed; }; then
+
+var_multiple_time_servers=''
+
+
+config_file="/etc/chrony/chrony.conf"
+
+if ! grep -q '^[\s]*(?:server|pool)[\s]+[\w]+' "$config_file" ; then
+ if ! grep -q '#[[:space:]]*server' "$config_file" ; then
+ for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do
+ printf '\nserver %s' "$server" >> "$config_file"
+ done
+ else
+ sed -i 's/#[ \t]*server/server/g' "$config_file"
+ fi
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - NIST-800-53-AU-8(1)(a)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.3
+ - chronyd_specify_remote_server
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+- name: XCCDF Value var_multiple_time_servers # promote to variable
+ set_fact:
+ var_multiple_time_servers: !!str
+ tags:
+ - always
+
+- name: Detect if chrony is already configured with pools or servers
+ find:
+ path: /etc
+ patterns: chrony.conf
+ contains: ^[\s]*(?:server|pool)[\s]+[\w]+
+ register: chrony_servers
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"chrony" in ansible_facts.packages'
+ tags:
+ - NIST-800-53-AU-8(1)(a)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.3
+ - chronyd_specify_remote_server
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Configure remote time servers
+ lineinfile:
+ path: /etc/chrony/chrony.conf
+ line: server {{ item }}
+ state: present
+ create: true
+ loop: '{{ var_multiple_time_servers.split(",") }}'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"chrony" in ansible_facts.packages'
+ - chrony_servers.matched == 0
+ tags:
+ - NIST-800-53-AU-8(1)(a)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-10.4.3
+ - chronyd_specify_remote_server
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+
+
+
+
+
+
+
+
+ Specify Additional Remote NTP Servers
+ Additional NTP servers can be specified for time synchronization
+in the file /etc/ntp.conf. To do so, add additional lines of the
+following form, substituting the IP address or hostname of a remote NTP server for
+ntpserver:
+server ntpserver
+ 1
+ 14
+ 15
+ 16
+ 3
+ 5
+ 6
+ APO11.04
+ BAI03.05
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ CM-6(a)
+ AU-8(1)(a)
+ AU-8(2)
+ PR.PT-1
+ Req-10.4.3
+ Specifying additional NTP servers increases the availability of
+accurate time data, in the event that one of the specified servers becomes
+unavailable. This is typical for a system acting as an NTP server for
+other systems.
+
+
+
+
+
+ Specify a Remote NTP Server
+ To specify a remote NTP server for time synchronization, edit
+the file /etc/ntp.conf. Add or correct the following lines,
+substituting the IP or hostname of a remote NTP server for ntpserver:
+server ntpserver
+This instructs the NTP software to contact that remote server to obtain time
+data.
+ 1
+ 14
+ 15
+ 16
+ 3
+ 5
+ 6
+ APO11.04
+ BAI03.05
+ DSS05.04
+ DSS05.07
+ MEA02.01
+ 4.3.3.3.9
+ 4.3.3.5.8
+ 4.3.4.4.7
+ 4.4.2.1
+ 4.4.2.2
+ 4.4.2.4
+ SR 2.10
+ SR 2.11
+ SR 2.12
+ SR 2.8
+ SR 2.9
+ A.12.4.1
+ A.12.4.2
+ A.12.4.3
+ A.12.4.4
+ A.12.7.1
+ CM-6(a)
+ AU-8(1)(a)
+ PR.PT-1
+ Req-10.4.1
+ Req-10.4.3
+ Synchronizing with an NTP server makes it possible
+to collate system logs from multiple sources or correlate computer events with
+real time events.
+
+
+
+
+
+
+
+
+
+
+ Obsolete Services
+ This section discusses a number of network-visible
+services which have historically caused problems for system
+security, and for which disabling or severely limiting the service
+has been the best available guidance for some time. As a result of
+this, many of these services are not installed as part of Ubuntu 18.04
+by default.
+
+Organizations which are running these services should
+switch to more secure equivalents as soon as possible.
+If it remains absolutely necessary to run one of
+these services for legacy reasons, care should be taken to restrict
+the service as much as possible, for instance by configuring host
+
+firewall software such as iptables to restrict access to the
+
+vulnerable service to only those remote hosts which have a known
+need to use it.
+
+ Xinetd
+ The xinetd service acts as a dedicated listener for some
+network services (mostly, obsolete ones) and can be used to provide access
+controls and perform some logging. It has been largely obsoleted by other
+features, and it is not installed by default. The older Inetd service
+is not even available as part of Ubuntu 18.04.
+
+
+
+ NIS
+ The Network Information Service (NIS), also known as 'Yellow
+Pages' (YP), and its successor NIS+ have been made obsolete by
+Kerberos, LDAP, and other modern centralized authentication
+services. NIS should not be used because it suffers from security
+problems inherent in its design, such as inadequate protection of
+important authentication information.
+
+
+ Rlogin, Rsh, and Rexec
+ The Berkeley r-commands are legacy services which
+allow cleartext remote access and have an insecure trust
+model.
+
+ Remove Rsh Trust Files
+ The files /etc/hosts.equiv and ~/.rhosts (in
+each user's home directory) list remote hosts and users that are trusted by the
+local system when using the rshd daemon.
+To remove these files, run the following command to delete them from any
+location:
+$ sudo rm /etc/hosts.equiv
+$ rm ~/.rhosts
+ 11
+ 12
+ 14
+ 15
+ 3
+ 8
+ 9
+ APO13.01
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS01.04
+ DSS05.02
+ DSS05.03
+ DSS05.05
+ DSS06.06
+ CCI-001436
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 7.1
+ SR 7.6
+ A.11.2.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.6.2.1
+ A.6.2.2
+ A.9.1.2
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.AC-3
+ PR.IP-1
+ PR.PT-3
+ PR.PT-4
+ This action is only meaningful if .rhosts support is permitted
+through PAM. Trust files are convenient, but when used in conjunction with
+the R-services, they can allow unauthenticated access to a system.
+
+find /root -xdev -type f -name ".rhosts" -exec rm -f {} \;
+find /home -maxdepth 2 -xdev -type f -name ".rhosts" -exec rm -f {} \;
+rm -f /etc/hosts.equiv
+
+
+
+
+
+
+
+
+
+
+ Chat/Messaging Services
+ The talk software makes it possible for users to send and receive messages
+across systems through a terminal session.
+
+
+ Telnet
+ The telnet protocol does not provide confidentiality or integrity
+for information transmitted on the network. This includes authentication
+information such as passwords. Organizations which use telnet should be
+actively working to migrate to a more secure protocol.
+
+
+ TFTP Server
+ TFTP is a lightweight version of the FTP protocol which has
+traditionally been used to configure networking equipment. However,
+TFTP provides little security, and modern versions of networking
+operating systems frequently support configuration via SSH or other
+more secure protocols. A TFTP server should be run only if no more
+secure method of supporting existing equipment can be
+found.
+
+ TFTP server secure directory
+ Specify the directory which is used by TFTP server as a root directory when running in secure mode.
+ /var/lib/tftpboot
+
+
+
+
+ Print Support
+ The Common Unix Printing System (CUPS) service provides both local
+and network printing support. A system running the CUPS service can accept
+print jobs from other systems, process them, and send them to the appropriate
+printer. It also provides an interface for remote administration through a web
+browser. The CUPS service is installed and activated by default. The project
+homepage and more detailed documentation are available at
+
+ http://www.cups.org.
+
+
+ Configure the CUPS Service if Necessary
+ CUPS provides the ability to easily share local printers with
+other systems over the network. It does this by allowing systems to share
+lists of available printers. Additionally, each system that runs the CUPS
+service can potentially act as a print server. Whenever possible, the printer
+sharing and print server capabilities of CUPS should be limited or disabled.
+The following recommendations should demonstrate how to do just that.
+
+
+
+ Proxy Server
+ A proxy server is a very desirable target for a
+potential adversary because much (or all) sensitive data for a
+given infrastructure may flow through it. Therefore, if one is
+required, the system acting as a proxy server should be dedicated
+to that purpose alone and be stored in a physically secure
+location. The system's default proxy server software is Squid, and
+provided in an RPM package of the same name.
+
+ Disable Squid if Possible
+ If Squid was installed and activated, but the system
+does not need to act as a proxy server, then it should be disabled
+and removed.
+
+
+
+ Remote Authentication Dial-In User Service (RADIUS)
+ Remote Authentication Dial-In User Service (RADIUS) is a networking
+protocol, operating on port 1812 that provides centralized
+Authentication, Authorization, and Accounting (AAA or Triple A)
+management for users who connect and use a network service.
+
+
+ Hardware RNG Entropy Gatherer Daemon
+ The rngd feeds random data from hardware device to kernel random device.
+
+
+
+ Network Routing
+ A router is a very desirable target for a
+potential adversary because they fulfill a variety of
+infrastructure networking roles such as access to network segments,
+gateways to other networks, filtering, etc. Therefore, if one is
+required, the system acting as a router should be dedicated
+to that purpose alone and be stored in a physically secure
+location. The system's default routing software is Quagga, and
+provided in an RPM package of the same name.
+
+ Disable Quagga if Possible
+ If Quagga was installed and activated, but the system
+does not need to act as a router, then it should be disabled
+and removed.
+
+
+
+ Samba(SMB) Microsoft Windows File Sharing Server
+ When properly configured, the Samba service allows
+Linux systems to provide file and print sharing to Microsoft
+Windows systems. There are two software packages that provide
+Samba support. The first, samba-client, provides a series of
+command line tools that enable a client system to access Samba
+shares. The second, simply labeled samba, provides the Samba
+service. It is this second package that allows a Linux system to
+act as an Active Directory server, a domain controller, or as a
+domain member. Only the samba-client package is installed by
+default.
+
+ Configure Samba if Necessary
+ All settings for the Samba daemon can be found in
+/etc/samba/smb.conf. Settings are divided between a
+[global] configuration section and a series of user
+created share definition sections meant to describe file or print
+shares on the system. By default, Samba will operate in user mode
+and allow client systems to access local home directories and
+printers. It is recommended that these settings be changed or that
+additional limitations be set in place.
+
+ Restrict Printer Sharing
+ By default, Samba utilizes the CUPS printing service to enable
+printer sharing with Microsoft Windows workstations. If there are no printers
+on the local system, or if printer sharing with Microsoft Windows is not
+required, disable the printer sharing capability by commenting out the
+following lines, found in /etc/samba/smb.conf:
+[global]
+ load printers = yes
+ cups options = raw
+[printers]
+ comment = All Printers
+ path = /usr/spool/samba
+ browseable = no
+ guest ok = no
+ writable = no
+ printable = yes
+There may be other options present, but these are the only options enabled and
+uncommented by default. Removing the [printers] share should be enough
+for most users. If the Samba printer sharing capability is needed, consider
+disabling the Samba network browsing capability or restricting access to a
+particular set of users or network addresses. Set the valid users
+parameter to a small subset of users or restrict it to a particular group of
+users with the shorthand @. Separate each user or group of users with
+a space. For example, under the [printers] share:
+[printers]
+ valid users = user @printerusers
+
+
+ Restrict SMB File Sharing to Configured Networks
+ Only users with local user accounts will be able to log in to
+Samba shares by default. Shares can be limited to particular users or network
+addresses. Use the hosts allow and hosts deny directives
+accordingly, and consider setting the valid users directive to a limited subset
+of users or to a group of users. Separate each address, user, or user group
+with a space as follows for a particular share or global:
+[share]
+ hosts allow = 192.168.1. 127.0.0.1
+ valid users = userone usertwo @usergroup
+It is also possible to limit read and write access to particular users with the
+read list and write list options, though the permissions set by the system
+itself will override these settings. Set the read only attribute for each share
+to ensure that global settings will not accidentally override the individual
+share settings. Then, as with the valid users directive, separate each user or
+group of users with a space:
+[share]
+ read only = yes
+ write list = userone usertwo @usergroup
+
+
+
+ Disable Samba if Possible
+ Even after the Samba server package has been installed, it
+will remain disabled. Do not enable this service unless it is
+absolutely necessary to provide Microsoft Windows file and print
+sharing functionality.
+
+
+
+ SNMP Server
+ The Simple Network Management Protocol allows
+administrators to monitor the state of network devices, including
+computers. Older versions of SNMP were well-known for weak
+security, such as plaintext transmission of the community string
+(used for authentication) and usage of easily-guessable
+choices for the community string.
+
+ Disable SNMP Server if Possible
+ The system includes an SNMP daemon that allows for its remote
+monitoring, though it not installed by default. If it was installed and
+activated but is not needed, the software should be disabled and removed.
+
+
+ Configure SNMP Server if Necessary
+ If it is necessary to run the snmpd agent on the system, some best
+practices should be followed to minimize the security risk from the
+installation. The multiple security models implemented by SNMP cannot be fully
+covered here so only the following general configuration advice can be offered:
+use only SNMP version 3 security models and enable the use of authentication and encryptionwrite access to the MIB (Management Information Base) should be allowed only if necessaryall access to the MIB should be restricted following a principle of least privilegenetwork access should be limited to the maximum extent possible including restricting to expected network
+addresses both in the configuration files and in the system firewall rulesensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management
+stationsensure that permissions on the snmpd.conf configuration file (by default, in /etc/snmp) are 640 or more restrictiveensure that any MIB files' permissions are also 640 or more restrictive
+
+ SNMP read-only community string
+ Specify the SNMP community string used for read-only access.
+ changemero
+
+
+ SNMP read-write community string
+ Specify the SNMP community string used for read-write access.
+ changemerw
+
+
+
+
+ SSH Server
+ The SSH protocol is recommended for remote login and
+remote file transfer. SSH provides confidentiality and integrity
+for data exchanged between two systems, as well as server
+authentication, through the use of public key cryptography. The
+implementation included with the system is called OpenSSH, and more
+detailed documentation is available from its website,
+
+ https://www.openssh.com.
+Its server program is called sshd and provided by the RPM package
+openssh-server.
+
+
+ SSH enabled firewalld zone
+ Specify firewalld zone to enable SSH service. This value is used only for remediation purposes.
+ block
+ public
+ dmz
+ drop
+ external
+ home
+ internal
+ public
+ trusted
+ work
+
+
+ SSH Approved ciphers by FIPS
+ Specify the FIPS approved ciphers that are used for data integrity protection by the SSH server.
+ aes256-ctr,aes192-ctr,aes128-ctr
+ aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
+ chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
+ chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
+ chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
+ chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+ chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
+
+
+ SSH Approved MACs by FIPS
+ Specify the FIPS approved MACs (message authentication code) algorithms
+ that are used for data integrity protection by the SSH server.
+ hmac-sha2-512,hmac-sha2-256
+ hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+ umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com
+ umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com
+ umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com
+ hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+ hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+
+
+ SSH session Idle time
+ Specify duration of allowed idle time.
+ 600
+ 7200
+ 840
+ 900
+ 1800
+ 300
+ 3600
+ 300
+
+
+ SSH Server Listening Port
+ Specify port the SSH server is listening.
+ 22
+
+
+ SSH Max authentication attempts
+ Specify the maximum number of authentication attempts per connection.
+ 10
+ 3
+ 4
+ 5
+ 4
+
+
+ SSH is required to be installed
+ Specify if the Policy requires SSH to be installed. Used by SSH Rules
+to determine if SSH should be uninstalled or configured.
+A value of 0 means that the policy doesn't care if OpenSSH server is installed or not. If it is installed, scanner will check for it's configuration, if it's not installed, the check will pass.
+A value of 1 indicates that OpenSSH server package is not required by the policy;
+A value of 2 indicates that OpenSSH server package is required by the policy.
+ 0
+ 1
+ 2
+
+
+ SSH Strong KEX by FIPS
+ Specify the FIPS approved KEXs (Key Exchange Algorithms) algorithms
+ that are used for methods in cryptography by which cryptographic keys are exchanged between two parties
+ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+
+
+ SSH Max Sessions Count
+ Specify the maximum number of open sessions permitted.
+ 10
+ 4
+ 3
+ 2
+ 1
+ 0
+ 10
+
+
+ SSH Max Keep Alive Count
+ Specify the maximum number of idle message counts before session is terminated.
+ 10
+ 3
+ 5
+ 0
+ 1
+ 0
+
+
+ Install the OpenSSH Server Package
+ The openssh-server package should be installed.
+The openssh-server package can be installed with the following command:
+
+$ apt-get install openssh-server
+ 13
+ 14
+ APO01.06
+ DSS05.02
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ DSS06.06
+ CCI-002418
+ CCI-002420
+ CCI-002421
+ CCI-002422
+ SR 3.1
+ SR 3.8
+ SR 4.1
+ SR 4.2
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CM-6(a)
+ PR.DS-2
+ PR.DS-5
+ FIA_UAU.5
+ FTP_ITC_EXT.1
+ FCS_SSH_EXT.1
+ FCS_SSHS_EXT.1
+ SRG-OS-000423-GPOS-00187
+ SRG-OS-000424-GPOS-00188
+ SRG-OS-000425-GPOS-00189
+ SRG-OS-000426-GPOS-00190
+ Without protection of the transmitted information, confidentiality, and
+integrity may be compromised because unprotected communications can be
+intercepted and either read or altered.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+DEBIAN_FRONTEND=noninteractive apt-get install -y "openssh-server"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure openssh-server is installed
+ package:
+ name: openssh-server
+ state: present
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(a)
+ - enable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_openssh-server_installed
+
+ include install_openssh-server
+
+class install_openssh-server {
+ package { 'openssh-server':
+ ensure => 'installed',
+ }
+}
+
+
+[[packages]]
+name = "openssh-server"
+version = "*"
+
+
+
+
+
+
+
+
+
+ Remove the OpenSSH Server Package
+ The openssh-server package should be removed.
+The openssh-server package can be removed with the following command:
+
+$ apt-get remove openssh-server
+ Without protection of the transmitted information, confidentiality, and
+integrity may be compromised because unprotected communications can be
+intercepted and either read or altered.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# CAUTION: This remediation script will remove openssh-server
+# from the system, and may remove any packages
+# that depend on openssh-server. Execute this
+# remediation AFTER testing on a non-production
+# system!
+
+DEBIAN_FRONTEND=noninteractive apt-get remove -y "openssh-server"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Ensure openssh-server is removed
+ package:
+ name: openssh-server
+ state: absent
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - package_openssh-server_removed
+
+ include remove_openssh-server
+
+class remove_openssh-server {
+ package { 'openssh-server':
+ ensure => 'purged',
+ }
+}
+
+
+
+
+
+
+
+
+
+ Disable SSH Server If Possible (Unusual)
+ The SSH server service, sshd, is commonly needed.
+However, if it can be disabled, do so.
+
+
+The sshd service can be disabled with the following command:
+$ sudo systemctl mask --now sshd.service
+
+This is unusual, as SSH is a common method for encrypted and authenticated
+remote access.
+ CM-3(6)
+ IA-2(4)
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+SYSTEMCTL_EXEC='/usr/bin/systemctl'
+"$SYSTEMCTL_EXEC" stop 'ssh.service'
+"$SYSTEMCTL_EXEC" disable 'ssh.service'
+"$SYSTEMCTL_EXEC" mask 'ssh.service'
+# Disable socket activation if we have a unit file for it
+if "$SYSTEMCTL_EXEC" -q list-unit-files ssh.socket; then
+ "$SYSTEMCTL_EXEC" stop 'ssh.socket'
+ "$SYSTEMCTL_EXEC" mask 'ssh.socket'
+fi
+# The service may not be running because it has been started and failed,
+# so let's reset the state so OVAL checks pass.
+# Service should be 'inactive', not 'failed' after reboot though.
+"$SYSTEMCTL_EXEC" reset-failed 'ssh.service' || true
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable service sshd
+ block:
+
+ - name: Disable service sshd
+ systemd:
+ name: ssh.service
+ enabled: 'no'
+ state: stopped
+ masked: 'yes'
+ ignore_errors: 'yes'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-3(6)
+ - NIST-800-53-IA-2(4)
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - service_sshd_disabled
+ - unknown_severity
+
+- name: Unit Socket Exists - ssh.socket
+ command: systemctl list-unit-files ssh.socket
+ register: socket_file_exists
+ changed_when: false
+ ignore_errors: true
+ check_mode: false
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-3(6)
+ - NIST-800-53-IA-2(4)
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - service_sshd_disabled
+ - unknown_severity
+
+- name: Disable socket sshd
+ systemd:
+ name: ssh.socket
+ enabled: 'no'
+ state: stopped
+ masked: 'yes'
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"ssh.socket" in socket_file_exists.stdout_lines[1]'
+ tags:
+ - NIST-800-53-CM-3(6)
+ - NIST-800-53-IA-2(4)
+ - disable_strategy
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - service_sshd_disabled
+ - unknown_severity
+
+ include disable_sshd
+
+class disable_sshd {
+ service {'ssh':
+ enable => false,
+ ensure => 'stopped',
+ }
+}
+
+ apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+ config:
+ ignition:
+ version: 3.1.0
+ systemd:
+ units:
+ - name: ssh.service
+ enabled: false
+ mask: true
+ - name: ssh.socket
+ enabled: false
+ mask: true
+
+
+[customizations.services]
+disabled = ["ssh"]
+
+
+
+
+
+
+ Verify Permissions on SSH Server Private *_key Key Files
+ SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions.
+If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter.
+ BP28(R36)
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ 3.1.13
+ 3.13.10
+ CCI-000366
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ AC-17(a)
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Req-2.2.6
+ SRG-OS-000480-GPOS-00227
+ If an unauthorized user obtains the private SSH host key file, the host could be
+impersonated.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+for keyfile in /etc/ssh/*_key; do
+ test -f "$keyfile" || continue
+ if test root:root = "$(stat -c "%U:%G" "$keyfile")"; then
+ chmod u-xs,g-xwrs,o-xwrt "$keyfile"
+
+ else
+ echo "Key-like file '$keyfile' is owned by an unexpected user:group combination"
+ fi
+done
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Find root:root-owned keys
+ command: find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$" -type f -group
+ root -perm /u+xs,g+xwrs,o+xwrt
+ register: root_owned_keys
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.13
+ - NIST-800-171-3.13.10
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-2.2.6
+ - configure_strategy
+ - file_permissions_sshd_private_key
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for root:root-owned keys
+ file:
+ path: '{{ item }}'
+ mode: u-xs,g-xwrs,o-xwrt
+ state: file
+ with_items:
+ - '{{ root_owned_keys.stdout_lines }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.13
+ - NIST-800-171-3.13.10
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-2.2.6
+ - configure_strategy
+ - file_permissions_sshd_private_key
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+ include ssh_private_key_perms
+
+class ssh_private_key_perms {
+ exec { 'sshd_priv_key':
+ command => "chmod 0640 /etc/ssh/*_key",
+ path => '/bin:/usr/bin'
+ }
+}
+
+
+
+
+
+
+
+
+
+ Verify Permissions on SSH Server Public *.pub Key Files
+ To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ 3.1.13
+ 3.13.10
+ CCI-000366
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ AC-17(a)
+ CM-6(a)
+ AC-6(1)
+ PR.AC-4
+ PR.DS-5
+ Req-2.2.6
+ SRG-OS-000480-GPOS-00227
+ If a public host key file is modified by an unauthorized user, the SSH service
+may be compromised.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regex '^.*\.pub$' -exec chmod u-xs,g-xws,o-xwt {} \;
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Find /etc/ssh/ file(s)
+ command: find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regex "^.*\.pub$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.13
+ - NIST-800-171-3.13.10
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-2.2.6
+ - configure_strategy
+ - file_permissions_sshd_pub_key
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set permissions for /etc/ssh/ file(s)
+ file:
+ path: '{{ item }}'
+ mode: u-xs,g-xws,o-xwt
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.13
+ - NIST-800-171-3.13.10
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-2.2.6
+ - configure_strategy
+ - file_permissions_sshd_pub_key
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+ include ssh_public_key_perms
+
+class ssh_public_key_perms {
+ exec { 'sshd_pub_key':
+ command => "chmod 0644 /etc/ssh/*.pub",
+ path => '/bin:/usr/bin'
+ }
+}
+
+
+
+
+
+
+
+
+
+ Remove SSH Server iptables Firewall exception (Unusual)
+ By default, inbound connections to SSH's port are allowed. If the SSH
+server is not being used, this exception should be removed from the
+firewall configuration.
+
+Edit the files /etc/sysconfig/iptables and
+/etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate
+and delete the line:
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+This is unusual, as SSH is a common method for encrypted and authenticated
+remote access.
+ If inbound SSH connections are not expected, disallowing access to the SSH
+port will avoid possible exploitation of the port by an attacker.
+
+
+ Configure OpenSSH Client if Necessary
+ The following configuration changes apply to the SSH client. They can
+improve security parameters relwevant to the client user, e.g. increasing
+entropy while generating initialization vectors. Note that these changes
+influence only the default SSH client configuration. Changes in this group
+can be overridden by the client user by modifying files within the
+~/.ssh directory or by supplying parameters on the command line.
+
+
+ Configure OpenSSH Server if Necessary
+ If the system needs to act as an SSH server, then
+certain changes should be made to the OpenSSH daemon configuration
+file /etc/ssh/sshd_config. The following recommendations can be
+applied to this file. See the sshd_config(5) man page for more
+detailed information.
+
+ SSH RekeyLimit - size
+ Specify the size component of the rekey limit.
+ default
+ 512M
+ 512M
+ 1G
+
+
+ SSH RekeyLimit - size
+ Specify the size component of the rekey limit.
+ none
+ 1h
+ 1h
+
+
+ SSH Compression Setting
+ Specify the compression setting for SSH connections.
+ no
+ delayed
+ no
+
+
+ SSH Privilege Separation Setting
+ Specify whether and how sshd separates privileges when handling incoming network connections.
+ no
+ yes
+ sandbox
+ sandbox
+
+
+ SSH LoginGraceTime setting
+ Configure parameters for how long the servers stays connected before the user has successfully logged in
+ 60
+ 60
+
+
+ SSH MaxStartups setting
+ Configure parameters for maximum concurrent unauthenticated connections to the SSH daemon.
+ 10:30:100
+ 10:30:60
+
+
+ Set SSH Client Alive Count Max to zero
+ The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered unresponsive
+and terminated.
+
+To ensure the SSH timeout occurs precisely when the
+ClientAliveInterval is set, set the ClientAliveCountMax to
+value of 0 in
+
+
+/etc/ssh/sshd_config:
+ 1
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 7
+ 8
+ 5.5.6
+ APO13.01
+ BAI03.01
+ BAI03.02
+ BAI03.03
+ DSS01.03
+ DSS03.05
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ 3.1.11
+ CCI-000879
+ CCI-001133
+ CCI-002361
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 6.2
+ A.12.4.1
+ A.12.4.3
+ A.14.1.1
+ A.14.2.1
+ A.14.2.5
+ A.18.1.4
+ A.6.1.2
+ A.6.1.5
+ A.7.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.1
+ A.9.4.2
+ A.9.4.3
+ A.9.4.4
+ A.9.4.5
+ CIP-004-6 R2.2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ AC-2(5)
+ AC-12
+ AC-17(a)
+ SC-10
+ CM-6(a)
+ DE.CM-1
+ DE.CM-3
+ PR.AC-1
+ PR.AC-4
+ PR.AC-6
+ PR.AC-7
+ PR.IP-2
+ Req-8.1.8
+ SRG-OS-000126-GPOS-00066
+ SRG-OS-000163-GPOS-00072
+ SRG-OS-000279-GPOS-00109
+ SRG-OS-000480-VMM-002000
+ This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "ClientAliveCountMax 0" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "ClientAliveCountMax 0" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Set SSH Client Alive Count Max to zero
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*ClientAliveCountMax\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*ClientAliveCountMax\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*ClientAliveCountMax\s+
+ line: ClientAliveCountMax 0
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.5.6
+ - NIST-800-171-3.1.11
+ - NIST-800-53-AC-12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-2(5)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-10
+ - PCI-DSS-Req-8.1.8
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_keepalive_0
+
+
+
+
+
+
+
+
+
+
+ Set SSH Client Alive Count Max
+ The SSH server sends at most ClientAliveCountMax messages
+during a SSH session and waits for a response from the SSH client.
+The option ClientAliveInterval configures timeout after
+each ClientAliveCountMax message. If the SSH server does not
+receive a response from the client, then the connection is considered unresponsive
+and terminated.
+For SSH earlier than v8.2, a ClientAliveCountMax value of 0
+causes a timeout precisely when the ClientAliveInterval is set.
+Starting with v8.2, a value of 0 disables the timeout functionality
+completely. If the option is set to a number greater than 0, then
+the session will be disconnected after
+ClientAliveInterval * ClientAliveCountMax seconds without receiving
+a keep alive message.
+ BP28(R29)
+ 1
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 7
+ 8
+ 5.5.6
+ APO13.01
+ BAI03.01
+ BAI03.02
+ BAI03.03
+ DSS01.03
+ DSS03.05
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ 3.1.11
+ CCI-000879
+ CCI-001133
+ CCI-002361
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 6.2
+ A.12.4.1
+ A.12.4.3
+ A.14.1.1
+ A.14.2.1
+ A.14.2.5
+ A.18.1.4
+ A.6.1.2
+ A.6.1.5
+ A.7.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.1
+ A.9.4.2
+ A.9.4.3
+ A.9.4.4
+ A.9.4.5
+ CIP-004-6 R2.2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ AC-2(5)
+ AC-12
+ AC-17(a)
+ SC-10
+ CM-6(a)
+ DE.CM-1
+ DE.CM-3
+ PR.AC-1
+ PR.AC-4
+ PR.AC-6
+ PR.AC-7
+ PR.IP-2
+ Req-8.1.8
+ SRG-OS-000163-GPOS-00072
+ SRG-OS-000279-GPOS-00109
+ SRG-OS-000480-VMM-002000
+ This ensures a user login will be terminated as soon as the ClientAliveInterval
+is reached.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_sshd_set_keepalive=''
+
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: XCCDF Value var_sshd_set_keepalive # promote to variable
+ set_fact:
+ var_sshd_set_keepalive: !!str
+ tags:
+ - always
+
+- name: Set SSH Client Alive Count Max
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*ClientAliveCountMax\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*ClientAliveCountMax\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*ClientAliveCountMax\s+
+ line: ClientAliveCountMax {{ var_sshd_set_keepalive }}
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.5.6
+ - NIST-800-171-3.1.11
+ - NIST-800-53-AC-12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-2(5)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-10
+ - PCI-DSS-Req-8.1.8
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_keepalive
+
+
+
+
+
+
+
+
+
+
+
+ Set SSH Client Alive Interval
+ SSH allows administrators to set a network responsiveness timeout interval.
+After this interval has passed, the unresponsive client will be automatically logged out.
+
+To set this timeout interval, edit the following line in /etc/ssh/sshd_config as
+follows:
+ClientAliveInterval
+
+The timeout interval is given in seconds. For example, have a timeout
+of 10 minutes, set interval to 600.
+
+If a shorter timeout has already been set for the login shell, that value will
+preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
+some processes may stop SSH from correctly detecting that the user is idle.
+ SSH disconnecting unresponsive clients will not have desired effect without also
+configuring ClientAliveCountMax in the SSH service configuration.
+ Following conditions may prevent the SSH session to time out:
+Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.Any scp or sftp activity by the same user to the host resets the timeout.
+ BP28(R29)
+ 1
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 7
+ 8
+ 5.5.6
+ APO13.01
+ BAI03.01
+ BAI03.02
+ BAI03.03
+ DSS01.03
+ DSS03.05
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ 3.1.11
+ CCI-000879
+ CCI-001133
+ CCI-002361
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 6.2
+ A.12.4.1
+ A.12.4.3
+ A.14.1.1
+ A.14.2.1
+ A.14.2.5
+ A.18.1.4
+ A.6.1.2
+ A.6.1.5
+ A.7.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.1
+ A.9.4.2
+ A.9.4.3
+ A.9.4.4
+ A.9.4.5
+ CIP-004-6 R2.2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ CM-6(a)
+ AC-17(a)
+ AC-2(5)
+ AC-12
+ AC-17(a)
+ SC-10
+ CM-6(a)
+ DE.CM-1
+ DE.CM-3
+ PR.AC-1
+ PR.AC-4
+ PR.AC-6
+ PR.AC-7
+ PR.IP-2
+ Req-8.1.8
+ SRG-OS-000126-GPOS-00066
+ SRG-OS-000163-GPOS-00072
+ SRG-OS-000279-GPOS-00109
+ SRG-OS-000395-GPOS-00175
+ SRG-OS-000480-VMM-002000
+ Terminating an idle ssh session within a short time period reduces the window of
+opportunity for unauthorized personnel to take control of a management session
+enabled on the console or console port that has been let unattended.
+
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+sshd_idle_timeout_value=''
+
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+ Disable Host-Based Authentication
+ SSH's cryptographic host-based authentication is
+more secure than .rhosts authentication. However, it is
+not recommended that hosts unilaterally trust one another, even
+within an organization.
+
+The default SSH configuration disables host-based authentication. The appropriate
+configuration is used if no value is set for HostbasedAuthentication.
+
+To explicitly disable host-based authentication, add or correct the
+following line in
+
+
+/etc/ssh/sshd_config:
+
+HostbasedAuthentication no
+ 11
+ 12
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 9
+ 5.5.6
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS06.03
+ DSS06.06
+ 3.1.12
+ CCI-000366
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ 0421
+ 0422
+ 0431
+ 0974
+ 1173
+ 1401
+ 1504
+ 1505
+ 1546
+ 1557
+ 1558
+ 1559
+ 1560
+ 1561
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.6.1.2
+ A.7.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.2.3
+ CIP-004-6 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.2
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ AC-3
+ AC-17(a)
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.AC-4
+ PR.AC-6
+ PR.IP-1
+ PR.PT-3
+ FIA_UAU.1
+ SRG-OS-000480-GPOS-00229
+ SRG-OS-000480-VMM-002000
+ SSH trust relationships mean a compromise on one host
+can allow an attacker to move trivially to other hosts.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable Host-Based Authentication
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*HostbasedAuthentication\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*HostbasedAuthentication\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*HostbasedAuthentication\s+
+ line: HostbasedAuthentication no
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.5.6
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-3
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_host_auth
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+
+
+
+
+
+
+
+
+
+ Allow Only SSH Protocol 2
+ Only SSH protocol version 2 connections should be
+permitted. The default setting in
+/etc/ssh/sshd_config is correct, and can be
+verified by ensuring that the following
+line appears:
+Protocol 2
+ As of openssh-server version 7.4 and above, the only protocol
+supported is version 2, and line Protocol 2 in
+/etc/ssh/sshd_config is not necessary.
+ NT007(R1)
+ 1
+ 12
+ 15
+ 16
+ 5
+ 8
+ 5.5.6
+ APO13.01
+ DSS01.04
+ DSS05.02
+ DSS05.03
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.03
+ DSS06.10
+ 3.1.13
+ 3.5.4
+ CCI-000197
+ CCI-000366
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.2
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.6
+ SR 3.1
+ SR 3.5
+ SR 3.8
+ SR 4.1
+ SR 4.3
+ SR 5.1
+ SR 5.2
+ SR 5.3
+ SR 7.1
+ SR 7.6
+ 0487
+ 1449
+ 1506
+ A.11.2.6
+ A.13.1.1
+ A.13.2.1
+ A.14.1.3
+ A.18.1.4
+ A.6.2.1
+ A.6.2.2
+ A.7.1.1
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ CIP-003-8 R4.2
+ CIP-007-3 R5.1
+ CIP-007-3 R7.1
+ CM-6(a)
+ AC-17(a)
+ AC-17(2)
+ IA-5(1)(c)
+ SC-13
+ MA-4(6)
+ PR.AC-1
+ PR.AC-3
+ PR.AC-6
+ PR.AC-7
+ PR.PT-4
+ SRG-OS-000074-GPOS-00042
+ SRG-OS-000480-GPOS-00227
+ SRG-OS-000033-VMM-000140
+ SSH protocol version 1 is an insecure implementation of the SSH protocol and
+has many well-known vulnerability exploits. Exploits of the SSH daemon could provide
+immediate root access to the system.
+
+
+
+
+
+
+
+
+
+ Disable Compression Or Set Compression to delayed
+ Compression is useful for slow network connections over long
+distances but can cause performance issues on local LANs. If use of compression
+is required, it should be enabled only after a user has authenticated; otherwise,
+it should be disabled. To disable compression or delay compression until after
+a user has successfully authenticated, add or correct the following line in the
+/etc/ssh/sshd_config file:
+Compression
+ 11
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ 3.1.12
+ CCI-000366
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ AC-17(a)
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ SRG-OS-000480-GPOS-00227
+ SRG-OS-000480-VMM-002000
+ If compression is allowed in an SSH connection prior to authentication,
+vulnerabilities in the compression software could result in compromise of the
+system from an unauthenticated connection, potentially with root privileges.
+
+
+
+
+
+
+
+
+
+
+ Disable SSH Access via Empty Passwords
+ Disallow SSH login with empty passwords.
+The default SSH configuration disables logins with empty passwords. The appropriate
+configuration is used if no value is set for PermitEmptyPasswords.
+
+To explicitly disallow SSH login from accounts with empty passwords,
+add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+
+PermitEmptyPasswords no
+Any accounts with empty passwords should be disabled immediately, and PAM configuration
+should prevent users from being able to assign themselves empty passwords.
+ NT007(R17)
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 9
+ 5.5.6
+ APO01.06
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS06.02
+ DSS06.03
+ DSS06.06
+ 3.1.1
+ 3.1.5
+ CCI-000366
+ CCI-000766
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 5.2
+ SR 7.6
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ AC-17(a)
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.AC-4
+ PR.AC-6
+ PR.DS-5
+ PR.IP-1
+ PR.PT-3
+ FIA_UAU.1
+ Req-2.2.6
+ SRG-OS-000106-GPOS-00053
+ SRG-OS-000480-GPOS-00229
+ SRG-OS-000480-GPOS-00227
+ SRG-OS-000480-VMM-002000
+ Configuring this setting for the SSH daemon provides additional assurance
+that remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable SSH Access via Empty Passwords
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PermitEmptyPasswords\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PermitEmptyPasswords\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*PermitEmptyPasswords\s+
+ line: PermitEmptyPasswords no
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.5.6
+ - NIST-800-171-3.1.1
+ - NIST-800-171-3.1.5
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-2.2.6
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_empty_passwords
+
+
+
+
+
+
+
+
+
+
+ Disable GSSAPI Authentication
+ Unless needed, SSH should not permit extraneous or unnecessary
+authentication mechanisms like GSSAPI.
+
+The default SSH configuration disallows authentications based on GSSAPI. The appropriate
+configuration is used if no value is set for GSSAPIAuthentication.
+
+To explicitly disable GSSAPI authentication, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+GSSAPIAuthentication no
+ 11
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ 3.1.12
+ CCI-000318
+ CCI-000368
+ CCI-001812
+ CCI-001813
+ CCI-001814
+ CCI-000366
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 7.6
+ 0418
+ 1055
+ 1402
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ AC-17(a)
+ PR.IP-1
+ FTP_ITC_EXT.1
+ FCS_SSH_EXT.1.2
+ SRG-OS-000364-GPOS-00151
+ SRG-OS-000480-GPOS-00227
+ SRG-OS-000480-VMM-002000
+ GSSAPI authentication is used to provide additional authentication mechanisms to
+applications. Allowing GSSAPI authentication through SSH exposes the system's
+GSSAPI to remote hosts, increasing the attack surface of the system.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "GSSAPIAuthentication no" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "GSSAPIAuthentication no" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable GSSAPI Authentication
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*GSSAPIAuthentication\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*GSSAPIAuthentication\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*GSSAPIAuthentication\s+
+ line: GSSAPIAuthentication no
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_gssapi_auth
+
+
+
+
+
+
+
+
+
+
+ Disable Kerberos Authentication
+ Unless needed, SSH should not permit extraneous or unnecessary
+authentication mechanisms like Kerberos.
+
+The default SSH configuration disallows authentication validation through Kerberos.
+The appropriate configuration is used if no value is set for KerberosAuthentication.
+
+To explicitly disable Kerberos authentication, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+KerberosAuthentication no
+ 11
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ 3.1.12
+ CCI-000318
+ CCI-000368
+ CCI-001812
+ CCI-001813
+ CCI-001814
+ CCI-000366
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 7.6
+ 0421
+ 0422
+ 0431
+ 0974
+ 1173
+ 1401
+ 1504
+ 1505
+ 1546
+ 1557
+ 1558
+ 1559
+ 1560
+ 1561
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ AC-17(a)
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ FTP_ITC_EXT.1
+ FCS_SSH_EXT.1.2
+ SRG-OS-000364-GPOS-00151
+ SRG-OS-000480-GPOS-00227
+ SRG-OS-000480-VMM-002000
+ Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
+is enabled through SSH, the SSH daemon provides a means of access to the
+system's Kerberos implementation.
+Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "KerberosAuthentication no" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "KerberosAuthentication no" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable Kerberos Authentication
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*KerberosAuthentication\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*KerberosAuthentication\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*KerberosAuthentication\s+
+ line: KerberosAuthentication no
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_kerb_auth
+
+
+
+
+
+
+
+
+
+
+ Disable PubkeyAuthentication Authentication
+ Unless needed, SSH should not permit extraneous or unnecessary
+authentication mechanisms. To disable PubkeyAuthentication authentication, add or
+correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PubkeyAuthentication no
+ PubkeyAuthentication authentication is used to provide additional authentication mechanisms to
+applications. Allowing PubkeyAuthentication authentication through SSH allows users to
+generate their own authentication tokens, increasing the attack surface of the system.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "PubkeyAuthentication no" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "PubkeyAuthentication no" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable PubkeyAuthentication Authentication
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PubkeyAuthentication\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PubkeyAuthentication\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*PubkeyAuthentication\s+
+ line: PubkeyAuthentication no
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_pubkey_auth
+
+
+
+
+
+
+
+
+
+
+ Disable SSH Support for .rhosts Files
+ SSH can emulate the behavior of the obsolete rsh
+command in allowing users to enable insecure access to their
+accounts via .rhosts files.
+
+The default SSH configuration disables support for .rhosts. The appropriate
+configuration is used if no value is set for IgnoreRhosts.
+
+To explicitly disable support for .rhosts files, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+IgnoreRhosts yes
+ 11
+ 12
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 9
+ 5.5.6
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS05.02
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS06.03
+ DSS06.06
+ 3.1.12
+ CCI-000366
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ A.6.1.2
+ A.7.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ AC-17(a)
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.AC-4
+ PR.AC-6
+ PR.IP-1
+ PR.PT-3
+ FIA_UAU.1
+ SRG-OS-000480-GPOS-00227
+ SRG-OS-000107-VMM-000530
+ SSH trust relationships mean a compromise on one host
+can allow an attacker to move trivially to other hosts.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "IgnoreRhosts yes" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "IgnoreRhosts yes" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable SSH Support for .rhosts Files
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*IgnoreRhosts\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*IgnoreRhosts\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*IgnoreRhosts\s+
+ line: IgnoreRhosts yes
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.5.6
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_rhosts
+
+
+
+
+
+
+
+
+
+
+ Disable SSH Support for Rhosts RSA Authentication
+ SSH can allow authentication through the obsolete rsh
+command through the use of the authenticating user's SSH keys. This should be disabled.
+
+To ensure this behavior is disabled, add or correct the
+following line in /etc/ssh/sshd_config:
+RhostsRSAAuthentication no
+ As of openssh-server version 7.4 and above,
+the RhostsRSAAuthentication option has been deprecated, and the line
+RhostsRSAAuthentication no in /etc/ssh/sshd_config is not
+necessary.
+ 11
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ 3.1.12
+ CCI-000366
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ AC-17(a)
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ FIA_UAU.1
+ SRG-OS-000480-GPOS-00227
+ Configuring this setting for the SSH daemon provides additional
+assurance that remote login via SSH will require a password, even
+in the event of misconfiguration elsewhere.
+
+
+
+
+
+
+
+
+
+ Disable SSH Root Login
+ The root user should never be allowed to login to a
+system directly over a network.
+To disable root login via SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin no
+ BP28(R19)
+ NT007(R21)
+ 1
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ 5.5.6
+ APO01.06
+ DSS05.02
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS05.10
+ DSS06.02
+ DSS06.03
+ DSS06.06
+ DSS06.10
+ 3.1.1
+ 3.1.5
+ CCI-000366
+ CCI-000770
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.18.1.4
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.2
+ A.9.2.3
+ A.9.2.4
+ A.9.2.6
+ A.9.3.1
+ A.9.4.1
+ A.9.4.2
+ A.9.4.3
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.2.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ AC-6(2)
+ AC-17(a)
+ IA-2
+ IA-2(5)
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.AC-1
+ PR.AC-4
+ PR.AC-6
+ PR.AC-7
+ PR.DS-5
+ PR.PT-3
+ FAU_GEN.1
+ Req-2.2.6
+ SRG-OS-000109-GPOS-00056
+ SRG-OS-000480-GPOS-00227
+ SRG-OS-000480-VMM-002000
+ Even though the communications channel may be encrypted, an additional layer of
+security is gained by extending the policy of not logging directly on as root.
+In addition, logging in with a user-specific account provides individual
+accountability of actions performed on the system and also helps to minimize
+direct attack attempts on root's password.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable SSH Root Login
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PermitRootLogin\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PermitRootLogin\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*PermitRootLogin\s+
+ line: PermitRootLogin no
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.5.6
+ - NIST-800-171-3.1.1
+ - NIST-800-171-3.1.5
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6(2)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-IA-2
+ - NIST-800-53-IA-2(5)
+ - PCI-DSS-Req-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_root_login
+
+
+
+
+
+
+
+
+
+
+ Disable SSH root Login with a Password (Insecure)
+ To disable password-based root logins over SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PermitRootLogin prohibit-password
+ While this disables password-based root logins, direct root logins
+through other means such as through SSH keys or GSSAPI will still be
+permitted. Permitting any sort of root login remotely opens up the
+root account to attack.
+To fully disable direct root logins over SSH (which is considered a
+best practice) and prevent remote attacks against the root account,
+see CCE-27100-7, CCE-27445-6, CCE-80901-2, and similar.
+ Even though the communications channel may be encrypted, an additional
+layer of security is gained by preventing use of a password.
+This also helps to minimize direct attack attempts on root's password.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "PermitRootLogin prohibit-password" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "PermitRootLogin prohibit-password" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable SSH root Login with a Password (Insecure)
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PermitRootLogin\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PermitRootLogin\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*PermitRootLogin\s+
+ line: PermitRootLogin prohibit-password
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_root_password_login
+
+
+
+
+
+
+
+
+
+
+ Disable SSH TCP Forwarding
+ The AllowTcpForwarding parameter specifies whether TCP forwarding is permitted.
+To disable TCP forwarding, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+AllowTcpForwarding no
+ Leaving port forwarding enabled can expose the organization to security risks and back-doors.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*AllowTcpForwarding\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "AllowTcpForwarding no" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "AllowTcpForwarding no" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable SSH TCP Forwarding
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*AllowTcpForwarding\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*AllowTcpForwarding\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*AllowTcpForwarding\s+
+ line: AllowTcpForwarding no
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_tcp_forwarding
+
+
+
+
+
+
+
+
+
+
+ Disable SSH Support for User Known Hosts
+ SSH can allow system users to connect to systems if a cache of the remote
+systems public keys is available. This should be disabled.
+
+To ensure this behavior is disabled, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+IgnoreUserKnownHosts yes
+ 11
+ 3
+ 9
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ 3.1.12
+ CCI-000366
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ AC-17(a)
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ FIA_UAU.1
+ SRG-OS-000480-GPOS-00227
+ Configuring this setting for the SSH daemon provides additional
+assurance that remote login via SSH will require a password, even
+in the event of misconfiguration elsewhere.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "IgnoreUserKnownHosts yes" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "IgnoreUserKnownHosts yes" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable SSH Support for User Known Hosts
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*IgnoreUserKnownHosts\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*IgnoreUserKnownHosts\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*IgnoreUserKnownHosts\s+
+ line: IgnoreUserKnownHosts yes
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_user_known_hosts
+
+
+
+
+
+
+
+
+
+
+ Disable X11 Forwarding
+ The X11Forwarding parameter provides the ability to tunnel X11 traffic
+through the connection to enable remote graphic connections.
+SSH has the capability to encrypt remote X11 connections when SSH's
+X11Forwarding option is enabled.
+
+The default SSH configuration disables X11Forwarding. The appropriate
+configuration is used if no value is set for X11Forwarding.
+
+To explicitly disable X11 Forwarding, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+X11Forwarding no
+ CCI-000366
+ CM-6(b)
+ SRG-OS-000480-GPOS-00227
+ Disable X11 forwarding unless there is an operational requirement to use X11
+applications directly. There is a small risk that the remote X11 servers of
+users who are logged in via SSH with X11 forwarding could be compromised by
+other users on the X11 server. Note that even if X11 forwarding is disabled,
+users can always install their own forwarders.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "X11Forwarding no" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "X11Forwarding no" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Disable X11 Forwarding
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*X11Forwarding\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*X11Forwarding\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*X11Forwarding\s+
+ line: X11Forwarding no
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-CM-6(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_x11_forwarding
+
+
+
+
+
+
+
+
+
+
+ Do Not Allow SSH Environment Options
+ Ensure that users are not able to override environment variables of the SSH daemon.
+
+The default SSH configuration disables environment processing. The appropriate
+configuration is used if no value is set for PermitUserEnvironment.
+
+To explicitly disable Environment options, add or correct the following
+
+
+/etc/ssh/sshd_config:
+
+PermitUserEnvironment no
+ 11
+ 3
+ 9
+ 5.5.6
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ 3.1.12
+ CCI-000366
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.4.3.2
+ 4.3.4.3.3
+ SR 7.6
+ A.12.1.2
+ A.12.5.1
+ A.12.6.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ AC-17(a)
+ CM-7(a)
+ CM-7(b)
+ CM-6(a)
+ PR.IP-1
+ Req-2.2.6
+ SRG-OS-000480-GPOS-00229
+ SRG-OS-000480-VMM-002000
+ SSH environment options potentially allow users to bypass
+access restriction in some configurations.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Do Not Allow SSH Environment Options
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PermitUserEnvironment\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PermitUserEnvironment\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*PermitUserEnvironment\s+
+ line: PermitUserEnvironment no
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.5.6
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_do_not_permit_user_env
+
+
+
+
+
+
+
+
+
+
+ Enable GSSAPI Authentication
+ Sites setup to use Kerberos or other GSSAPI Authenticaion require setting
+sshd to accept this authentication.
+To enable GSSAPI authentication, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+GSSAPIAuthentication yes
+ Kerberos authentication for SSH is often implemented using GSSAPI. If
+Kerberos is enabled through SSH, the SSH daemon provides a means of access
+to the system's Kerberos implementation. Vulnerabilities in the system's
+Kerberos implementations may be subject to exploitation.
+
+For enterprises, Kerberos is often enabled and used with GSSAPI for
+centralized user account management which may necessitate enabling of
+GSSAPI functionality in SSH.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "GSSAPIAuthentication yes" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "GSSAPIAuthentication yes" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable GSSAPI Authentication
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*GSSAPIAuthentication\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*GSSAPIAuthentication\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*GSSAPIAuthentication\s+
+ line: GSSAPIAuthentication yes
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_gssapi_auth
+
+
+
+
+
+
+
+
+
+
+ Enable PAM
+ UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will
+enable PAM authentication using ChallengeResponseAuthentication and
+PasswordAuthentication in addition to PAM account and session module processing for all
+authentication types.
+
+To enable PAM authentication, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+UsePAM yes
+ CCI-000877
+ SRG-OS-000125-GPOS-00065
+ When UsePAM is set to yes, PAM runs through account and session types properly. This is
+important if you want to restrict access to services based off of IP, time or other factors of
+the account. Additionally, you can make sure users inherit certain environment variables
+on login or disallow access to the server.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*UsePAM\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "UsePAM yes" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "UsePAM yes" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable PAM
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*UsePAM\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*UsePAM\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*UsePAM\s+
+ line: UsePAM yes
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_pam
+
+
+
+
+
+
+
+
+
+
+ Enable Public Key Authentication
+ Enable SSH login with public keys.
+
+The default SSH configuration enables authentication based on public keys. The appropriate
+configuration is used if no value is set for PubkeyAuthentication.
+
+To explicitly enable Public Key Authentication, add or correct the following
+
+
+/etc/ssh/sshd_config:
+
+PubkeyAuthentication yes
+ CCI-000765
+ CCI-000766
+ CCI-000767
+ CCI-000768
+ SRG-OS-000105-GPOS-00052
+ SRG-OS-000106-GPOS-00053
+ SRG-OS-000107-GPOS-00054
+ SRG-OS-000108-GPOS-00055
+ Without the use of multifactor authentication, the ease of access to
+privileged functions is greatly increased. Multifactor authentication
+requires using two or more factors to achieve authentication.
+A privileged account is defined as an information system account with
+authorizations of a privileged user.
+The DoD CAC with DoD-approved PKI is an example of multifactor
+authentication.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "PubkeyAuthentication yes" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "PubkeyAuthentication yes" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable Public Key Authentication
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PubkeyAuthentication\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PubkeyAuthentication\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*PubkeyAuthentication\s+
+ line: PubkeyAuthentication yes
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_pubkey_auth
+
+
+
+
+
+
+
+
+
+
+ Enable Use of Strict Mode Checking
+ SSHs StrictModes option checks file and ownership permissions in
+the user's home directory .ssh folder before accepting login. If world-
+writable permissions are found, logon is rejected.
+
+The default SSH configuration has StrictModes enabled. The appropriate
+configuration is used if no value is set for StrictModes.
+
+To explicitly enable StrictModes in SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+StrictModes yes
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ 3.1.12
+ CCI-000366
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ AC-6
+ AC-17(a)
+ CM-6(a)
+ PR.AC-4
+ PR.DS-5
+ SRG-OS-000480-GPOS-00227
+ SRG-OS-000480-VMM-002000
+ If other users have access to modify user-specific SSH configuration files, they
+may be able to log into the system as another user.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "StrictModes yes" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "StrictModes yes" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable Use of Strict Mode Checking
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*StrictModes\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*StrictModes\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*StrictModes\s+
+ line: StrictModes yes
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6
+ - NIST-800-53-CM-6(a)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_strictmodes
+
+
+
+
+
+
+
+
+
+
+ Enable SSH Warning Banner
+ To enable the warning banner and ensure it is consistent
+across the system, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+Banner /etc/issue
+Another section contains information on how to create an
+appropriate system-wide warning banner.
+ 1
+ 12
+ 15
+ 16
+ 5.5.6
+ DSS05.04
+ DSS05.10
+ DSS06.10
+ 3.1.9
+ CCI-000048
+ CCI-000050
+ CCI-001384
+ CCI-001385
+ CCI-001386
+ CCI-001387
+ CCI-001388
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ A.18.1.4
+ A.9.2.1
+ A.9.2.4
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ AC-8(a)
+ AC-8(c)
+ AC-17(a)
+ CM-6(a)
+ PR.AC-7
+ FTA_TAB.1
+ Req-2.2.6
+ SRG-OS-000023-GPOS-00006
+ SRG-OS-000228-GPOS-00088
+ SRG-OS-000023-VMM-000060
+ SRG-OS-000024-VMM-000070
+ The warning message reinforces policy awareness during the logon process and
+facilitates possible legal action against attackers. Alternatively, systems
+whose ownership should not be obvious should ensure usage of a banner that does
+not provide easy attribution.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable SSH Warning Banner
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*Banner\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*Banner\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*Banner\s+
+ line: Banner /etc/issue
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.5.6
+ - NIST-800-171-3.1.9
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-8(a)
+ - NIST-800-53-AC-8(c)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_warning_banner
+
+
+
+
+
+
+
+
+
+
+ Enable SSH Warning Banner
+ To enable the warning banner and ensure it is consistent
+across the system, add or correct the following line in
+
+/etc/ssh/sshd_config:
+
+Banner /etc/issue.net
+Another section contains information on how to create an
+appropriate system-wide warning banner.
+ 5.5.6
+ DSS05.04
+ DSS05.10
+ DSS06.10
+ 3.1.9
+ CCI-000048
+ CCI-000050
+ CCI-001384
+ CCI-001385
+ CCI-001386
+ CCI-001387
+ CCI-001388
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ A.18.1.4
+ A.9.2.1
+ A.9.2.4
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ AC-8(a)
+ AC-8(c)
+ AC-17(a)
+ CM-6(a)
+ PR.AC-7
+ FTA_TAB.1
+ SRG-OS-000023-GPOS-00006
+ SRG-OS-000228-GPOS-00088
+ SRG-OS-000023-VMM-000060
+ SRG-OS-000024-VMM-000070
+ The warning message reinforces policy awareness during the logon process and
+facilitates possible legal action against attackers. Alternatively, systems
+whose ownership should not be obvious should ensure usage of a banner that does
+not provide easy attribution.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "Banner /etc/issue.net" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "Banner /etc/issue.net" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable SSH Warning Banner
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*Banner\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*Banner\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*Banner\s+
+ line: Banner /etc/issue.net
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CJIS-5.5.6
+ - NIST-800-171-3.1.9
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-8(a)
+ - NIST-800-53-AC-8(c)
+ - NIST-800-53-CM-6(a)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_warning_banner_net
+
+
+
+
+
+
+
+
+
+
+ Enable Encrypted X11 Forwarding
+ By default, remote X11 connections are not encrypted when initiated
+by users. SSH has the capability to encrypt remote X11 connections when SSH's
+X11Forwarding option is enabled.
+
+To enable X11 Forwarding, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+X11Forwarding yes
+ 1
+ 11
+ 12
+ 13
+ 15
+ 16
+ 18
+ 20
+ 3
+ 4
+ 6
+ 9
+ BAI03.08
+ BAI07.04
+ BAI10.01
+ BAI10.02
+ BAI10.03
+ BAI10.05
+ DSS03.01
+ 3.1.13
+ CCI-000366
+ 4.3.4.3.2
+ 4.3.4.3.3
+ 4.4.3.3
+ SR 7.6
+ A.12.1.1
+ A.12.1.2
+ A.12.1.4
+ A.12.5.1
+ A.12.6.2
+ A.13.1.1
+ A.13.1.2
+ A.14.2.2
+ A.14.2.3
+ A.14.2.4
+ CIP-007-3 R7.1
+ CM-6(a)
+ AC-17(a)
+ AC-17(2)
+ DE.AE-1
+ PR.DS-7
+ PR.IP-1
+ SRG-OS-000480-GPOS-00227
+ Non-encrypted X displays allow an attacker to capture keystrokes and to execute commands
+remotely.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "X11Forwarding yes" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "X11Forwarding yes" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable Encrypted X11 Forwarding
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*X11Forwarding\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*X11Forwarding\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*X11Forwarding\s+
+ line: X11Forwarding yes
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.13
+ - NIST-800-53-AC-17(2)
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_x11_forwarding
+
+
+
+
+
+
+
+
+
+
+ Limit Users' SSH Access
+ By default, the SSH configuration allows any user with an account
+to access the system. In order to specify the users that are allowed to login
+via SSH and deny all other users, add or correct the following line in the
+/etc/ssh/sshd_config file:
+AllowUsers USER1 USER2
+Where USER1 and USER2 are valid user names.
+ 11
+ 12
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ DSS05.02
+ DSS05.04
+ DSS05.05
+ DSS05.07
+ DSS06.03
+ DSS06.06
+ 3.1.12
+ 4.3.3.2.2
+ 4.3.3.5.1
+ 4.3.3.5.2
+ 4.3.3.5.3
+ 4.3.3.5.4
+ 4.3.3.5.5
+ 4.3.3.5.6
+ 4.3.3.5.7
+ 4.3.3.5.8
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ 4.3.3.7.1
+ 4.3.3.7.2
+ 4.3.3.7.3
+ 4.3.3.7.4
+ SR 1.1
+ SR 1.10
+ SR 1.11
+ SR 1.12
+ SR 1.13
+ SR 1.2
+ SR 1.3
+ SR 1.4
+ SR 1.5
+ SR 1.6
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ SR 2.1
+ SR 2.2
+ SR 2.3
+ SR 2.4
+ SR 2.5
+ SR 2.6
+ SR 2.7
+ A.6.1.2
+ A.7.1.1
+ A.9.1.2
+ A.9.2.1
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.2.3
+ CIP-004-6 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.2
+ CIP-007-3 R5.2
+ CIP-007-3 R5.3.1
+ CIP-007-3 R5.3.2
+ CIP-007-3 R5.3.3
+ AC-3
+ CM-6(a)
+ PR.AC-4
+ PR.AC-6
+ PR.PT-3
+ Req-2.2.6
+ Specifying which accounts are allowed SSH access into the system reduces the
+possibility of unauthorized access to the system.
+
+
+
+
+
+ Enable SSH Print Last Log
+ Ensure that SSH will display the date and time of the last successful account logon.
+
+The default SSH configuration enables print of the date and time of the last login.
+The appropriate configuration is used if no value is set for PrintLastLog.
+
+To explicitly enable LastLog in SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+PrintLastLog yes
+ 1
+ 12
+ 15
+ 16
+ DSS05.04
+ DSS05.10
+ DSS06.10
+ CCI-000052
+ 4.3.3.6.1
+ 4.3.3.6.2
+ 4.3.3.6.3
+ 4.3.3.6.4
+ 4.3.3.6.5
+ 4.3.3.6.6
+ 4.3.3.6.7
+ 4.3.3.6.8
+ 4.3.3.6.9
+ SR 1.1
+ SR 1.10
+ SR 1.2
+ SR 1.5
+ SR 1.7
+ SR 1.8
+ SR 1.9
+ A.18.1.4
+ A.9.2.1
+ A.9.2.4
+ A.9.3.1
+ A.9.4.2
+ A.9.4.3
+ AC-9
+ AC-9(1)
+ PR.AC-7
+ SRG-OS-000480-GPOS-00227
+ Providing users feedback on when account accesses last occurred facilitates user
+recognition and reporting of unauthorized account use.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "PrintLastLog yes" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "PrintLastLog yes" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Enable SSH Print Last Log
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PrintLastLog\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*PrintLastLog\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*PrintLastLog\s+
+ line: PrintLastLog yes
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-9
+ - NIST-800-53-AC-9(1)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_print_last_log
+
+
+
+
+
+
+
+
+
+
+ Force frequent session key renegotiation
+ The RekeyLimit parameter specifies how often
+the session key of the is renegotiated, both in terms of
+amount of data that may be transmitted and the time
+elapsed.
+To decrease the default limits, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+RekeyLimit
+ CCI-000068
+ FCS_SSH_EXT.1.8
+ SRG-OS-000480-GPOS-00227
+ SRG-OS-000033-GPOS-00014
+ By decreasing the limit based on the amount of data and enabling
+time-based limit, effects of potential attacks against
+encryption keys are limited.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_rekey_limit_size=''
+var_rekey_limit_time=''
+
+
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: XCCDF Value var_rekey_limit_size # promote to variable
+ set_fact:
+ var_rekey_limit_size: !!str
+ tags:
+ - always
+- name: XCCDF Value var_rekey_limit_time # promote to variable
+ set_fact:
+ var_rekey_limit_time: !!str
+ tags:
+ - always
+
+- name: Force frequent session key renegotiation
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*RekeyLimit\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*RekeyLimit\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*RekeyLimit\s+
+ line: RekeyLimit {{ var_rekey_limit_size }} {{ var_rekey_limit_time }}
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sshd_rekey_limit
+
+
+
+
+
+
+
+
+
+
+
+
+ Ensure SSH LoginGraceTime is configured
+ The LoginGraceTime parameter to the SSH server specifies the time allowed for successful authentication to
+the SSH server. The longer the Grace period is the more open unauthenticated connections
+can exist. Like other session controls in this session the Grace Period should be limited to
+appropriate limits to ensure the service is available for needed access.
+ Setting the LoginGraceTime parameter to a low number will minimize the risk of successful
+brute force attacks to the SSH server. It will also limit the number of concurrent
+unauthenticated connections.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_sshd_set_login_grace_time=''
+
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: XCCDF Value var_sshd_set_login_grace_time # promote to variable
+ set_fact:
+ var_sshd_set_login_grace_time: !!str
+ tags:
+ - always
+
+- name: Ensure SSH LoginGraceTime is configured
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*LoginGraceTime\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*LoginGraceTime\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*LoginGraceTime\s+
+ line: LoginGraceTime {{ var_sshd_set_login_grace_time }}
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_login_grace_time
+
+
+
+
+
+
+
+
+
+
+
+ Set LogLevel to INFO
+ The INFO parameter specifices that record login and logout activity will be logged.
+
+The default SSH configuration sets the log level to INFO. The appropriate
+configuration is used if no value is set for LogLevel.
+
+To explicitly specify the log level in SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+LogLevel INFO
+ AC-17(a)
+ CM-6(a)
+ SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
+not recommended other than strictly for debugging SSH communications since it provides
+so much data that it is difficult to identify important security information. INFO level is the
+basic level that only records login activity of SSH users. In many situations, such as Incident
+Response, it is important to determine when a particular user was active on a system. The
+logout record can eliminate those users who disconnected, which helps narrow the field.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "LogLevel INFO" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "LogLevel INFO" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Set LogLevel to INFO
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*LogLevel\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*LogLevel\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*LogLevel\s+
+ line: LogLevel INFO
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_loglevel_info
+
+
+
+
+
+
+
+
+
+
+ Set SSH Daemon LogLevel to VERBOSE
+ The VERBOSE parameter configures the SSH daemon to record login and logout activity.
+To specify the log level in
+SSH, add or correct the following line in
+
+
+/etc/ssh/sshd_config:
+
+LogLevel VERBOSE
+ CCI-000067
+ CIP-007-3 R7.1
+ AC-17(a)
+ AC-17(1)
+ CM-6(a)
+ Req-2.2.6
+ SRG-OS-000032-GPOS-00013
+ SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
+not recommended other than strictly for debugging SSH communications since it provides
+so much data that it is difficult to identify important security information. INFO or
+VERBOSE level is the basic level that only records login activity of SSH users. In many
+situations, such as Incident Response, it is important to determine when a particular user was active
+on a system. The logout record can eliminate those users who disconnected, which helps narrow the
+field.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "LogLevel VERBOSE" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "LogLevel VERBOSE" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: Set SSH Daemon LogLevel to VERBOSE
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*LogLevel\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*LogLevel\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*LogLevel\s+
+ line: LogLevel VERBOSE
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-17(1)
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_loglevel_verbose
+
+
+
+
+
+
+
+
+
+
+ Set SSH authentication attempt limit
+ The MaxAuthTries parameter specifies the maximum number of authentication attempts
+permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
+to set MaxAUthTries edit /etc/ssh/sshd_config as follows:
+MaxAuthTries
+ 0421
+ 0422
+ 0431
+ 0974
+ 1173
+ 1401
+ 1504
+ 1505
+ 1546
+ 1557
+ 1558
+ 1559
+ 1560
+ 1561
+ Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
+brute force attacks to the SSH server.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+sshd_max_auth_tries_value=''
+
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+
+
+
+
+
+
+
+
+
+
+ Set SSH MaxSessions limit
+ The MaxSessions parameter specifies the maximum number of open sessions permitted
+from a given connection. To set MaxSessions edit
+/etc/ssh/sshd_config as follows: MaxSessions
+ To protect a system from denial of service due to a large number of concurrent
+sessions, use the rate limiting function of MaxSessions to protect availability
+of sshd logins and prevent overwhelming the daemon.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_sshd_max_sessions=''
+
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "MaxSessions $var_sshd_max_sessions" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "MaxSessions $var_sshd_max_sessions" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: XCCDF Value var_sshd_max_sessions # promote to variable
+ set_fact:
+ var_sshd_max_sessions: !!str
+ tags:
+ - always
+
+- name: Set SSH MaxSessions limit
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*MaxSessions\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*MaxSessions\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*MaxSessions\s+
+ line: MaxSessions {{ var_sshd_max_sessions }}
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sshd_set_max_sessions
+
+
+
+
+
+
+
+
+
+
+
+ Ensure SSH MaxStartups is configured
+ The MaxStartups parameter specifies the maximum number of concurrent
+unauthenticated connections to the SSH daemon. Additional connections will be
+dropped until authentication succeeds or the LoginGraceTime expires for a
+connection. To confgure MaxStartups, you should add or correct the following
+line in the
+/etc/ssh/sshd_config file:
+MaxStartups
+CIS recommends a MaxStartups value of '10:30:60', or more restrictive where
+dictated by site policy.
+ To protect a system from denial of service due to a large number of pending
+authentication connection attempts, use the rate limiting function of MaxStartups
+to protect availability of sshd logins and prevent overwhelming the daemon.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_sshd_set_maxstartups=''
+
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: XCCDF Value var_sshd_set_maxstartups # promote to variable
+ set_fact:
+ var_sshd_set_maxstartups: !!str
+ tags:
+ - always
+
+- name: Ensure SSH MaxStartups is configured
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*MaxStartups\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*MaxStartups\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*MaxStartups\s+
+ line: MaxStartups {{ var_sshd_set_maxstartups }}
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_maxstartups
+
+
+
+
+
+
+
+
+
+
+ Enable Use of Privilege Separation
+ When enabled, SSH will create an unprivileged child process that
+has the privilege of the authenticated user. To enable privilege separation in
+SSH, add or correct the following line in the /etc/ssh/sshd_config file:
+UsePrivilegeSeparation
+ 12
+ 13
+ 14
+ 15
+ 16
+ 18
+ 3
+ 5
+ APO01.06
+ DSS05.04
+ DSS05.07
+ DSS06.02
+ 3.1.12
+ CCI-000366
+ 164.308(a)(4)(i)
+ 164.308(b)(1)
+ 164.308(b)(3)
+ 164.310(b)
+ 164.312(e)(1)
+ 164.312(e)(2)(ii)
+ 4.3.3.7.3
+ SR 2.1
+ SR 5.2
+ A.10.1.1
+ A.11.1.4
+ A.11.1.5
+ A.11.2.1
+ A.13.1.1
+ A.13.1.3
+ A.13.2.1
+ A.13.2.3
+ A.13.2.4
+ A.14.1.2
+ A.14.1.3
+ A.6.1.2
+ A.7.1.1
+ A.7.1.2
+ A.7.3.1
+ A.8.2.2
+ A.8.2.3
+ A.9.1.1
+ A.9.1.2
+ A.9.2.3
+ A.9.4.1
+ A.9.4.4
+ A.9.4.5
+ CIP-003-8 R5.1.1
+ CIP-003-8 R5.3
+ CIP-004-6 R2.3
+ CIP-007-3 R2.1
+ CIP-007-3 R2.2
+ CIP-007-3 R2.3
+ CIP-007-3 R5.1
+ CIP-007-3 R5.1.1
+ CIP-007-3 R5.1.2
+ CM-6(a)
+ AC-17(a)
+ AC-6
+ PR.AC-4
+ PR.DS-5
+ SRG-OS-000480-GPOS-00227
+ SSH daemon privilege separation causes the SSH process to drop root privileges
+when not needed which would decrease the impact of software vulnerabilities in
+the unprivileged section.
+ # Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+var_sshd_priv_separation=''
+
+
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*UsePrivilegeSeparation\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
+
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert before the line matching the regex '^Match'.
+line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
+if [ -z "$line_number" ]; then
+ # There was no match of '^Match', insert at
+ # the end of the file.
+ printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" >> "/etc/ssh/sshd_config"
+else
+ head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
+ printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" >> "/etc/ssh/sshd_config"
+ tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+fi
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
+
+ - name: XCCDF Value var_sshd_priv_separation # promote to variable
+ set_fact:
+ var_sshd_priv_separation: !!str
+ tags:
+ - always
+
+- name: Enable Use of Privilege Separation
+ block:
+
+ - name: Check for duplicate values
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*UsePrivilegeSeparation\s+
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
+
+ - name: Deduplicate values from /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: false
+ regexp: (?i)^\s*UsePrivilegeSeparation\s+
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
+
+ - name: Insert correct line to /etc/ssh/sshd_config
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ create: true
+ regexp: (?i)^\s*UsePrivilegeSeparation\s+
+ line: UsePrivilegeSeparation {{ var_sshd_priv_separation }}
+ state: present
+ insertbefore: ^[#\s]*Match
+ validate: /usr/sbin/sshd -t -f %s
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6
+ - NIST-800-53-CM-6(a)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_use_priv_separation
+
+
+
+
+
+
+
+
+
+
+
+ Strengthen Firewall Configuration if Possible
+ If the SSH server is expected to only receive connections from
+the local network, then strengthen the default firewall rule for the SSH service
+to only accept connections from the appropriate network segment(s).
+
+Determine an appropriate network block, netwk, network mask, mask, and
+network protocol, ip_protocol, representing the systems on your network which will
+be allowed to access this SSH server.
+
+Run the following command:
+firewall-cmd --permanent --add-rich-rule='rule family="ip_protocol" source address="netwk/mask" service name="ssh" accept'
+
+
+
+
+ System Security Services Daemon
+ The System Security Services Daemon (SSSD) is a system daemon that provides access
+to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD,
+openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline
+support to systems utilizing SSSD. SSSD using caching to reduce load on authentication
+servers permit offline authentication as well as store extended user data.
+
+For more information, see
+
+
+ SSSD certificate_verification option
+ Value of the certificate_verification option in
+the SSSD config.
+ sha1
+ sha256
+ sha384
+ sha512
+ sha1
+
+
+ SSSD memcache_timeout option
+ Value of the memcache_timeout option in the [nss] section
+of SSSD config /etc/sssd/sssd.conf.
+ 180
+ 300
+ 600
+ 900
+ 1800
+ 86400
+ 300
+
+
+ SSSD ssh_known_hosts_timeout option
+ Value of the ssh_known_hosts_timeout option in the [ssh] section
+of SSSD configuration file /etc/sssd/sssd.conf.
+ 180
+ 300
+ 600
+ 900
+ 1800
+ 86400
+ 180
+
+
+ System Security Services Daemon (SSSD) - LDAP
+ The System Security Services Daemon (SSSD) is a system daemon that provides access
+to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD,
+openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline
+support to systems utilizing SSSD. SSSD using caching to reduce load on authentication
+servers permit offline authentication as well as store extended user data.
+
+SSSD can support many backends including LDAP. The sssd-ldap backend
+allows SSSD to fetch identity information from an LDAP server.
+
+
+ SSSD LDAP Backend Client CA Certificate Location
+ Path of a directory that contains Certificate Authority certificates.
+ /etc/openldap/cacerts
+
+
+
+
+ USBGuard daemon
+ The USBGuard daemon enforces the USB device authorization policy for all USB devices.
+
+
+
+ X Window System
+ The X Window System implementation included with the
+system is called X.org.
+
+ Disable X Windows
+ Unless there is a mission-critical reason for the
+system to run a graphical user interface, ensure X is not set to start
+automatically at boot and remove the X Windows software packages.
+There is usually no reason to run X Windows
+on a dedicated server system, as it increases the system's attack surface and consumes
+system resources. Administrators of server systems should instead login via
+SSH or on the text console.
+
+
+
+
+ Introduction
+ The purpose of this guidance is to provide security configuration
+recommendations and baselines for the Ubuntu 18.04 operating
+system. Recommended settings for the basic operating system are provided,
+as well as for many network services that the system can provide to other systems.
+The guide is intended for system administrators. Readers are assumed to
+possess basic system administration skills for Unix-like systems, as well
+as some familiarity with the product's documentation and administration
+conventions. Some instructions within this guide are complex.
+All directions should be followed completely and with understanding of
+their effects in order to avoid serious adverse effects on the system
+and its security.
+
+ General Principles
+ The following general principles motivate much of the advice in this
+guide and should also influence any configuration decisions that are
+not explicitly covered.
+
+ Encrypt Transmitted Data Whenever Possible
+ Data transmitted over a network, whether wired or wireless, is susceptible
+to passive monitoring. Whenever practical solutions for encrypting
+such data exist, they should be applied. Even if data is expected to
+be transmitted only over a local network, it should still be encrypted.
+Encrypting authentication data, such as passwords, is particularly
+important. Networks of Ubuntu 18.04 machines can and should be configured
+so that no unencrypted authentication data is ever transmitted between
+machines.
+
+
+ Least Privilege
+ Grant the least privilege necessary for user accounts and software to perform tasks.
+For example, sudo can be implemented to limit authorization to super user
+accounts on the system only to designated personnel. Another example is to limit
+logins on server systems to only those administrators who need to log into them in
+order to perform administration tasks. Using SELinux also follows the principle of
+least privilege: SELinux policy can confine software to perform only actions on the
+system that are specifically allowed. This can be far more restrictive than the
+actions permissible by the traditional Unix permissions model.
+
+
+ Minimize Software to Minimize Vulnerability
+ The simplest way to avoid vulnerabilities in software is to avoid
+installing that software. On Ubuntu 18.04,the Package Manager (originally apt ),
+allows for careful management of
+the set of software packages installed on a system. Installed software
+contributes to system vulnerability in several ways. Packages that
+include setuid programs may provide local attackers a potential path to
+privilege escalation. Packages that include network services may give
+this opportunity to network-based attackers. Packages that include
+programs which are predictably executed by local users (e.g. after
+graphical login) may provide opportunities for trojan horses or other
+attack code to be run undetected. The number of software packages
+installed on a system can almost always be significantly pruned to include
+only the software for which there is an environmental or operational need.
+
+
+ Run Different Network Services on Separate Systems
+ Whenever possible, a server should be dedicated to serving exactly one
+network service. This limits the number of other services that can
+be compromised in the event that an attacker is able to successfully
+exploit a software flaw in one network service.
+
+
+ Configure Security Tools to Improve System Robustness
+ Several tools exist which can be effectively used to improve a system's
+resistance to and detection of unknown attacks. These tools can improve
+robustness against attack at the cost of relatively little configuration
+effort. In particular, this guide recommends and discusses the use of
+host-based firewalling, SELinux for protection against
+vulnerable services, and a logging and auditing infrastructure for
+detection of problems.
+
+
+
+ How to Use This Guide
+ Readers should heed the following points when using the guide.
+
+ Formatting Conventions
+ Commands intended for shell execution, as well as configuration file text,
+are featured in a monospace font. Italics are used
+to indicate instances where the system administrator must substitute
+the appropriate information into a command or configuration file.
+
+
+ Read Sections Completely and in Order
+ Each section may build on information and recommendations discussed in
+prior sections. Each section should be read and understood completely;
+instructions should never be blindly applied. Relevant discussion may
+occur after instructions for an action.
+
+
+ Reboot Required
+ A system reboot is implicitly required after some actions in order to
+complete the reconfiguration of the system. In many cases, the changes
+will not take effect until a reboot is performed. In order to ensure
+that changes are applied properly and to test functionality, always
+reboot the system after applying a set of recommendations from this guide.
+
+
+ Root Shell Environment Assumed
+ Most of the actions listed in this document are written with the
+assumption that they will be executed by the root user running the
+/bin/bash shell. Commands preceded with a hash mark (#)
+assume that the administrator will execute the commands as root, i.e.
+apply the command via sudo whenever possible, or use
+su to gain root privileges if sudo cannot be
+used. Commands which can be executed as a non-root user are are preceded
+by a dollar sign ($) prompt.
+
+
+ Test in Non-Production Environment
+ This guidance should always be tested in a non-production environment
+before deployment. This test environment should simulate the setup in
+which the system will be deployed as closely as possible.
+
+
+
+
+
+ OSCAP Scan Result
+
+ localhost.localdomain
+
+ OpenSCAP
+ 1.3.8
+ localhost.localdomain
+ podman-image://5d2df19066aca89df8e5317544a1cb599dc657830184762ff6fdefaaf708db65 [docker.io/library/ubuntu:18.04]
+ podman-image://5d2df19066aca89df8e5317544a1cb599dc657830184762ff6fdefaaf708db65 [docker.io/library/ubuntu:18.04]
+
+
+ root@localhost
+ 512M
+ 1h
+ DEFAULT
+ 2592000
+ 900
+ 0
+ root
+ /var/log/sudo.log
+ 5
+ 5
+ 0022
+ minimal
+ ^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$
+ SHA512
+ 5
+ 3
+ /var/log/faillock
+ 900
+ 0
+ 0
+ 4000000
+ 5
+ requisite
+ 3
+ -1
+ 1
+ 8
+ -1
+ 4
+ 3
+ 3
+ 15
+ -1
+ 3
+ -1
+ 300
+ default
+ ^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$
+ 35
+ 35
+ 60
+ 7
+ 15
+ 7
+ 5000
+ 4
+ 1
+ 600
+ (\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)
+ 027
+ 2
+ single
+ single
+ logcollector
+ root
+ halt
+ 5
+ single
+ single
+ data
+ 50
+ 6
+ rotate
+ 5
+ 100
+ email
+ 25
+ flush
+ full
+ 500
+ prctl
+ sha512
+ certs/signing_key.pem
+ 0
+ root
+ root
+ logcollector
+ no
+ 0
+ 0
+ 0
+ 0
+ 0
+ 0
+ 0
+ 0
+ 1
+ 0
+ 0
+ 0
+ 0
+ 0
+ 0
+ 0
+ 0
+ 0
+ 1
+ 0
+ 0
+ 0
+ 0
+ 0
+ 0
+ 1
+ 1
+ 0
+ 0
+ 0
+ 0
+ 1
+ 1
+ 0
+ 0
+ 1
+ 1
+ 500
+ 1
+ 1
+ 2
+ /dev/cdrom
+ 2
+ 022
+ 1
+ P
+ targeted
+ enforcing
+ false
+ false
+ true
+ false
+ false
+ true
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ true
+ true
+ false
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ true
+ false
+ false
+ true
+ true
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ true
+ false
+ false
+ true
+ false
+ true
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ true
+ true
+ false
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ false
+ true
+ false
+ true
+ false
+ false
+ true
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ true
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ true
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ true
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ false
+ true
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ true
+ true
+ true
+ true
+ true
+ true
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ false
+ warn
+ 100
+ ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$
+ loopback-only
+ smtp.$mydomain
+ system.administrator@mail.mil
+ 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
+ 10
+ /var/lib/tftpboot
+ changemero
+ changemerw
+ public
+ aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
+ hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+ 300
+ 22
+ 4
+ 0
+ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+ 10
+ 0
+ 512M
+ 1h
+ no
+ sandbox
+ 60
+ 10:30:100
+ sha1
+ 300
+ 180
+ /etc/openldap/cacerts
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notchecked
+ No candidate or applicable check found.
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ pass
+
+
+
+
+
+ notselected
+
+
+ pass
+
+
+
+
+
+ notselected
+
+
+ notselected
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ pass
+
+
+
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ fail
+
+
+
+
+
+ fail
+
+
+
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notapplicable
+
+
+ notselected
+
+
+ notselected
+
+
+ notselected
+
+ 50.000000
+
+
diff --git a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-ComplianceAsCode-ubuntu1804-hdf.json b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-ComplianceAsCode-ubuntu1804-hdf.json
new file mode 100644
index 0000000000..f6ac1d6514
--- /dev/null
+++ b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-ComplianceAsCode-ubuntu1804-hdf.json
@@ -0,0 +1,141349 @@
+{
+ "platform": {
+ "name": "Heimdall Tools",
+ "release": "2.6.47",
+ "target_id": "cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~"
+ },
+ "version": "2.6.47",
+ "statistics": {},
+ "profiles": [
+ {
+ "name": "xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC",
+ "version": "SCAP_1.2",
+ "title": "Guide to the Secure Configuration of Ubuntu 18.04",
+ "maintainer": "",
+ "summary": "This guide presents a catalog of security-relevant\nconfiguration settings for Ubuntu 18.04. It is a rendering of\ncontent structured in the eXtensible Configuration Checklist Description Format (XCCDF)\nin order to support security automation. The SCAP content is\nis available in thepackage which is developed at.Providing system administrators with such guidance informs them how to securely\nconfigure systems under their control in a variety of network roles. Policy\nmakers and baseline creators can use this catalog of settings, with its\nassociated references to higher-level security control catalogs, in order to\nassist them in security baseline creation. This guide is a, and satisfaction of every item is not likely to be possible or\nsensible in many operational scenarios. However, the XCCDF format enables\ngranular selection and adjustment of settings, and their association with OVAL\nand OCIL content provides an automated checking capability. Transformations of\nthis document, and its associated automated checking content, are capable of\nproviding baselines that meet a diverse set of policy objectives. Some example\nXCCDF, which are selections of items that form checklists and\ncan be used as baselines, are available with this guide. They can be\nprocessed, in an automated fashion, with tools that support the Security\nContent Automation Protocol (SCAP). The DISA STIG, which provides required\nsettings for US Department of Defense systems, is one example of a baseline\ncreated from this guidance.",
+ "description": "{\n \"description.text\": \"This guide presents a catalog of security-relevant\\nconfiguration settings for Ubuntu 18.04. It is a rendering of\\ncontent structured in the eXtensible Configuration Checklist Description Format (XCCDF)\\nin order to support security automation. The SCAP content is\\nis available in thepackage which is developed at.Providing system administrators with such guidance informs them how to securely\\nconfigure systems under their control in a variety of network roles. Policy\\nmakers and baseline creators can use this catalog of settings, with its\\nassociated references to higher-level security control catalogs, in order to\\nassist them in security baseline creation. This guide is a, and satisfaction of every item is not likely to be possible or\\nsensible in many operational scenarios. However, the XCCDF format enables\\ngranular selection and adjustment of settings, and their association with OVAL\\nand OCIL content provides an automated checking capability. Transformations of\\nthis document, and its associated automated checking content, are capable of\\nproviding baselines that meet a diverse set of policy objectives. Some example\\nXCCDF, which are selections of items that form checklists and\\ncan be used as baselines, are available with this guide. They can be\\nprocessed, in an automated fashion, with tools that support the Security\\nContent Automation Protocol (SCAP). The DISA STIG, which provides required\\nsettings for US Department of Defense systems, is one example of a baseline\\ncreated from this guidance.\",\n \"front-matter\": {\n \"br\": \"\",\n \"a\": {\n \"text\": \"https://www.open-scap.org/security-policies/scap-security-guide\",\n \"href\": \"https://www.open-scap.org/security-policies/scap-security-guide\"\n },\n \"text\": \"The SCAP Security Guide Project\",\n \"lang\": \"en-US\"\n },\n \"metadata\": {\n \"publisher\": \"SCAP Security Guide Project\",\n \"creator\": \"SCAP Security Guide Project\",\n \"contributor\": [\n \"Frank J Cameron (CAM1244) \",\n \"0x66656c6978 <0x66656c6978@users.noreply.github.com>\",\n \"Håvard F. Aasen \",\n \"Jack Adolph \",\n \"Edgar Aguilar \",\n \"Gabe Alford \",\n \"Firas AlShafei \",\n \"Rodrigo Alvares \",\n \"Christopher Anderson \",\n \"angystardust \",\n \"anivan-suse \",\n \"anixon-rh <55244503+anixon-rh@users.noreply.github.com>\",\n \"Ikko Ashimine \",\n \"Chuck Atkins \",\n \"Bharath B \",\n \"Ryan Ballanger \",\n \"Alex Baranowski \",\n \"Eduardo Barretto \",\n \"Molly Jo Bault \",\n \"Andrew Becker \",\n \"Gabriel Becker \",\n \"Alexander Bergmann \",\n \"Dale Bewley \",\n \"Jose Luis BG \",\n \"binyanling \",\n \"Joseph Bisch \",\n \"Jeff Blank \",\n \"Olivier Bonhomme \",\n \"Lance Bragstad \",\n \"Ted Brunell \",\n \"Marcus Burghardt \",\n \"Matthew Burket \",\n \"Blake Burkhart \",\n \"Patrick Callahan \",\n \"George Campbell \",\n \"Nick Carboni \",\n \"Carlos <64919342+carlosmmatos@users.noreply.github.com>\",\n \"James Cassell \",\n \"Frank Caviggia \",\n \"Eric Christensen \",\n \"Dan Clark \",\n \"Jayson Cofell <1051437+70k10@users.noreply.github.com>\",\n \"Caleb Cooper \",\n \"Richard Maciel Costa \",\n \"Xavier Coulon \",\n \"Deric Crago \",\n \"crleekwc \",\n \"cyarbrough76 <42849651+cyarbrough76@users.noreply.github.com>\",\n \"Maura Dailey \",\n \"Klaas Demter \",\n \"denknorr \",\n \"dhanushkar-wso2 \",\n \"Andrew DiPrinzio \",\n \"dom \",\n \"Jean-Baptiste Donnette \",\n \"Marco De Donno \",\n \"dperrone \",\n \"drax \",\n \"Sebastian Dunne \",\n \"François Duthilleul \",\n \"Greg Elin \",\n \"eradot4027 \",\n \"Alexis Facques \",\n \"Leah Fisher \",\n \"Yavor Georgiev \",\n \"Alijohn Ghassemlouei \",\n \"Swarup Ghosh \",\n \"ghylock \",\n \"Andrew Gilmore \",\n \"Joshua Glemza \",\n \"Nick Gompper \",\n \"David Fernandez Gonzalez \",\n \"Loren Gordon \",\n \"Patrik Greco \",\n \"Steve Grubb \",\n \"guangyee \",\n \"Christian Hagenest \",\n \"Marek Haicman \",\n \"Vern Hart \",\n \"Alex Haydock \",\n \"Rebekah Hayes \",\n \"Trey Henefield \",\n \"Henning Henkel \",\n \"hex2a \",\n \"John Hooks \",\n \"Jakub Hrozek \",\n \"De Huo \",\n \"Robin Price II \",\n \"Yasir Imam \",\n \"Jiri Jaburek \",\n \"Keith Jackson \",\n \"Marc Jadoul \",\n \"Jeremiah Jahn \",\n \"Jakub Jelen \",\n \"Jessicahfy \",\n \"Stephan Joerrens \",\n \"Hunter Jones \",\n \"Jono \",\n \"justchris1 \",\n \"Kai Kang \",\n \"Charles Kernstock \",\n \"Yuli Khodorkovskiy \",\n \"Sherine Khoury \",\n \"Nathan Kinder \",\n \"Lee Kinser \",\n \"Evgeny Kolesnikov \",\n \"Peter 'Pessoft' Kolínek \",\n \"Luke Kordell \",\n \"Malte Kraus \",\n \"Seth Kress \",\n \"Felix Krohn \",\n \"kspargur \",\n \"Amit Kumar \",\n \"Fen Labalme \",\n \"Ade Lee \",\n \"Christopher Lee \",\n \"Ian Lee \",\n \"Jarrett Lee \",\n \"Joseph Lenox \",\n \"Jan Lieskovsky \",\n \"Markus Linnala \",\n \"Flos Lonicerae \",\n \"Simon Lukasik \",\n \"Milan Lysonek \",\n \"Fredrik Lysén \",\n \"Caitlin Macleod \",\n \"Nick Maludy \",\n \"Lokesh Mandvekar \",\n \"Matus Marhefka \",\n \"Jamie Lorwey Martin \",\n \"Carlos Matos \",\n \"Robert McAllister \",\n \"Karen McCarron \",\n \"Michael McConachie \",\n \"Marcus Meissner \",\n \"Khary Mendez \",\n \"Rodney Mercer \",\n \"Matt Micene \",\n \"Brian Millett \",\n \"Takuya Mishina \",\n \"Mixer9 <35545791+Mixer9@users.noreply.github.com>\",\n \"mmosel \",\n \"Zbynek Moravec \",\n \"Kazuo Moriwaka \",\n \"Michael Moseley \",\n \"Renaud Métrich \",\n \"Joe Nall \",\n \"Neiloy \",\n \"Axel Nennker \",\n \"Michele Newman \",\n \"Sean O'Keeffe \",\n \"Jiri Odehnal \",\n \"Ilya Okomin \",\n \"Kaustubh Padegaonkar \",\n \"Michael Palmiotto \",\n \"Eryx Paredes \",\n \"Max R.D. Parmer \",\n \"Arnaud Patard \",\n \"Jan Pazdziora \",\n \"pcactr \",\n \"Kenneth Peeples \",\n \"Nathan Peters \",\n \"Frank Lin PIAT \",\n \"Stefan Pietsch \",\n \"piggyvenus \",\n \"Vojtech Polasek \",\n \"Orion Poplawski \",\n \"Nick Poyant \",\n \"Martin Preisler \",\n \"Wesley Ceraso Prudencio \",\n \"Raphael Sanchez Prudencio \",\n \"T.O. Radzy Radzykewycz \",\n \"Kenyon Ralph \",\n \"Mike Ralph \",\n \"Federico Ramirez \",\n \"rchikov \",\n \"Rick Renshaw \",\n \"Chris Reynolds \",\n \"rhayes \",\n \"Pat Riehecky \",\n \"rlucente-se-jboss \",\n \"Juan Antonio Osorio Robles \",\n \"Matt Rogers \",\n \"Jesse Roland \",\n \"Joshua Roys \",\n \"rrenshaw \",\n \"Chris Ruffalo \",\n \"rumch-se <77793453+rumch-se@users.noreply.github.com>\",\n \"Ray Shaw (Cont ARL/CISD) rvshaw \",\n \"Earl Sampson \",\n \"sampsone \",\n \"Willy Santos \",\n \"Nagarjuna Sarvepalli \",\n \"Anderson Sasaki <33833274+ansasaki@users.noreply.github.com>\",\n \"Gautam Satish \",\n \"Watson Sato \",\n \"Satoru SATOH \",\n \"Alexander Scheel \",\n \"Bryan Schneiders \",\n \"shaneboulden \",\n \"Vincent Shen \",\n \"Dhriti Shikhar \",\n \"Spencer Shimko \",\n \"Mark Shoger \",\n \"THOBY Simon \",\n \"Thomas Sjögren \",\n \"Jindrich Skacel <102800748+jskacel@users.noreply.github.com>\",\n \"Francisco Slavin \",\n \"Dave Smith \",\n \"David Smith \",\n \"Kevin Spargur \",\n \"Kenneth Stailey \",\n \"Leland Steinke \",\n \"Justin Stephenson \",\n \"Brian Stinson \",\n \"Jake Stookey \",\n \"Jonathan Sturges \",\n \"teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com>\",\n \"Ian Tewksbury \",\n \"Philippe Thierry \",\n \"Simon THOBY \",\n \"Derek Thurston \",\n \"tianzhenjia \",\n \"Greg Tinsley \",\n \"Paul Tittle \",\n \"tom \",\n \"tomas.hudik \",\n \"Jeb Trayer \",\n \"TrilokGeer \",\n \"Viktors Trubovics \",\n \"Nico Truzzolino \",\n \"Brian Turek \",\n \"Matěj Týč \",\n \"VadimDor <29509093+VadimDor@users.noreply.github.com>\",\n \"Trevor Vaughan \",\n \"vtrubovics <82443408+vtrubovics@users.noreply.github.com>\",\n \"Samuel Warren \",\n \"wcushen <54533890+wcushen@users.noreply.github.com>\",\n \"Shawn Wells \",\n \"Daniel E. White \",\n \"Bernhard M. Wiedemann \",\n \"Roy Williams \",\n \"Willumpie \",\n \"Rob Wilmoth \",\n \"win97pro \",\n \"Lucas Yamanishi \",\n \"Xirui Yang \",\n \"yarunachalam \",\n \"Guang Yee \",\n \"Achilleas John Yfantis \",\n \"YiLin.Li \",\n \"YuQing \",\n \"Kevin Zimmerman \",\n \"Luigi Mario Zuccarelli \",\n \"Jan Černý \",\n \"Michal Šrubař \"\n ],\n \"source\": \"https://github.com/ComplianceAsCode/content/releases/latest\"\n },\n \"model\": {\n \"system\": \"urn:xccdf:scoring:default\"\n },\n \"rear-matter\": {\n \"text\": \"Red Hat and Red Hat Enterprise Linux are either registered\\ntrademarks or trademarks of Red Hat, Inc. in the United States and other\\ncountries. All other names are registered trademarks or trademarks of their\\nrespective companies.\",\n \"lang\": \"en-US\"\n },\n \"status\": {\n \"text\": \"draft\",\n \"date\": \"2023-02-06\"\n },\n \"version\": {\n \"text\": \"0.1.66\",\n \"update\": \"https://github.com/ComplianceAsCode/content/releases/latest\"\n },\n \"TestResult.benchmark\": {\n \"href\": \"/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml\",\n \"id\": \"xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC\"\n },\n \"TestResult.start-time\": \"2023-03-20T12:28:11-05:00\",\n \"TestResult.end-time\": \"2023-03-20T12:28:12-05:00\",\n \"TestResult.id\": \"xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_cis\",\n \"TestResult.platform.idref\": \"cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~\",\n \"TestResult.profile.idref\": \"xccdf_org.ssgproject.content_profile_cis\",\n \"TestResult.score\": {\n \"text\": \"50.000000\",\n \"system\": \"urn:xccdf:scoring:default\",\n \"maximum\": \"100.000000\"\n },\n \"TestResult.set-value\": [\n {\n \"text\": \"root@localhost\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_aide_scan_notification_email\"\n },\n {\n \"text\": \"512M\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ssh_client_rekey_limit_size\"\n },\n {\n \"text\": \"1h\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ssh_client_rekey_limit_time\"\n },\n {\n \"text\": \"DEFAULT\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_system_crypto_policy\"\n },\n {\n \"text\": \"2592000\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mcafee_antivirus_definition_expire\"\n },\n {\n \"text\": \"900\",\n \"idref\": \"xccdf_org.ssgproject.content_value_inactivity_timeout_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_screensaver_lock_delay\"\n },\n {\n \"text\": \"root\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sudo_dedicated_group\"\n },\n {\n \"text\": \"/var/log/sudo.log\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sudo_logfile\"\n },\n {\n \"text\": \"5\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sudo_passwd_timeout\"\n },\n {\n \"text\": \"5\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sudo_timestamp_timeout\"\n },\n {\n \"text\": \"0022\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sudo_umask\"\n },\n {\n \"text\": \"minimal\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_authselect_profile\"\n },\n {\n \"text\": \"^Authorized[\\\\s\\\\n]+uses[\\\\s\\\\n]+only\\\\.[\\\\s\\\\n]+All[\\\\s\\\\n]+activity[\\\\s\\\\n]+may[\\\\s\\\\n]+be[\\\\s\\\\n]+monitored[\\\\s\\\\n]+and[\\\\s\\\\n]+reported\\\\.$\",\n \"idref\": \"xccdf_org.ssgproject.content_value_login_banner_text\"\n },\n {\n \"text\": \"SHA512\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_hashing_algorithm\"\n },\n {\n \"text\": \"5\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_unix_remember\"\n },\n {\n \"text\": \"3\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny\"\n },\n {\n \"text\": \"/var/log/faillock\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir\"\n },\n {\n \"text\": \"900\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_tally2_unlock_time\"\n },\n {\n \"text\": \"4000000\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_delay\"\n },\n {\n \"text\": \"5\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_remember\"\n },\n {\n \"text\": \"requisite\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_remember_control_flag\"\n },\n {\n \"text\": \"3\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_tally2\"\n },\n {\n \"text\": \"-1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_dcredit\"\n },\n {\n \"text\": \"1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_dictcheck\"\n },\n {\n \"text\": \"8\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_difok\"\n },\n {\n \"text\": \"-1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_lcredit\"\n },\n {\n \"text\": \"4\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat\"\n },\n {\n \"text\": \"3\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat\"\n },\n {\n \"text\": \"3\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_minclass\"\n },\n {\n \"text\": \"15\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_minlen\"\n },\n {\n \"text\": \"-1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_ocredit\"\n },\n {\n \"text\": \"3\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_retry\"\n },\n {\n \"text\": \"-1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_ucredit\"\n },\n {\n \"text\": \"300\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_logind_session_timeout\"\n },\n {\n \"text\": \"default\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_smartcard_drivers\"\n },\n {\n \"text\": \"^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_authorized_local_users_regex\"\n },\n {\n \"text\": \"35\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_account_disable_inactivity\"\n },\n {\n \"text\": \"35\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration\"\n },\n {\n \"text\": \"60\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs\"\n },\n {\n \"text\": \"7\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs\"\n },\n {\n \"text\": \"15\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs\"\n },\n {\n \"text\": \"7\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs\"\n },\n {\n \"text\": \"5000\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds\"\n },\n {\n \"text\": \"4\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_fail_delay\"\n },\n {\n \"text\": \"1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions\"\n },\n {\n \"text\": \"600\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_tmout\"\n },\n {\n \"text\": \"(\\\\.bashrc|\\\\.zshrc|\\\\.cshrc|\\\\.profile|\\\\.bash_login|\\\\.bash_profile)\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_user_initialization_files_regex\"\n },\n {\n \"text\": \"027\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_user_umask\"\n },\n {\n \"text\": \"2\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_audit_failure_mode\"\n },\n {\n \"text\": \"single\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_audispd_disk_full_action\"\n },\n {\n \"text\": \"single\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_audispd_network_failure_action\"\n },\n {\n \"text\": \"logcollector\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_audispd_remote_server\"\n },\n {\n \"text\": \"root\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct\"\n },\n {\n \"text\": \"halt\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action\"\n },\n {\n \"text\": \"5\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_percentage\"\n },\n {\n \"text\": \"single\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_disk_error_action\"\n },\n {\n \"text\": \"single\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_disk_full_action\"\n },\n {\n \"text\": \"data\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_flush\"\n },\n {\n \"text\": \"50\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_freq\"\n },\n {\n \"text\": \"6\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_max_log_file\"\n },\n {\n \"text\": \"rotate\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_max_log_file_action\"\n },\n {\n \"text\": \"5\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_num_logs\"\n },\n {\n \"text\": \"100\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_space_left\"\n },\n {\n \"text\": \"email\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_space_left_action\"\n },\n {\n \"text\": \"25\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_space_left_percentage\"\n },\n {\n \"text\": \"flush\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_l1tf_options\"\n },\n {\n \"text\": \"full\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mds_options\"\n },\n {\n \"text\": \"500\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rng_core_default_quality\"\n },\n {\n \"text\": \"prctl\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options\"\n },\n {\n \"text\": \"sha512\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash\"\n },\n {\n \"text\": \"certs/signing_key.pem\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_key\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_kernel_config_panic_timeout\"\n },\n {\n \"text\": \"root\",\n \"idref\": \"xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value\"\n },\n {\n \"text\": \"root\",\n \"idref\": \"xccdf_org.ssgproject.content_value_file_owner_logfiles_value\"\n },\n {\n \"text\": \"logcollector\",\n \"idref\": \"xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address\"\n },\n {\n \"text\": \"no\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysconfig_network_IPV6_AUTOCONF_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_ra_defrtr_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_ra_pinfo_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_ra_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_redirects_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_source_route_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_autoconf_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_forwarding_value\"\n },\n {\n \"text\": \"1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_max_addresses_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_router_solicitations_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_ra_defrtr_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_ra_pinfo_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_ra_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_redirects_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_source_route_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_autoconf_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_forwarding_value\"\n },\n {\n \"text\": \"1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_max_addresses_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_router_solicitations_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_redirects_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_source_route_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_filter_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_ignore_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_forwarding_value\"\n },\n {\n \"text\": \"1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_log_martians_value\"\n },\n {\n \"text\": \"1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_rp_filter_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_secure_redirects_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_shared_media_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_source_route_value\"\n },\n {\n \"text\": \"1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_log_martians_value\"\n },\n {\n \"text\": \"1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_rp_filter_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_secure_redirects_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_shared_media_value\"\n },\n {\n \"text\": \"1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value\"\n },\n {\n \"text\": \"1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value\"\n },\n {\n \"text\": \"500\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_invalid_ratelimit_value\"\n },\n {\n \"text\": \"1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_rfc1337_value\"\n },\n {\n \"text\": \"1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_syncookies_value\"\n },\n {\n \"text\": \"2\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mount_option_proc_hidepid\"\n },\n {\n \"text\": \"/dev/cdrom\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_removable_partition\"\n },\n {\n \"text\": \"2\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_kernel_unprivileged_bpf_disabled_value\"\n },\n {\n \"text\": \"022\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_umask_for_daemons\"\n },\n {\n \"text\": \"1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value\"\n },\n {\n \"text\": \"P\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_slub_debug_options\"\n },\n {\n \"text\": \"targeted\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinux_policy_name\"\n },\n {\n \"text\": \"enforcing\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinux_state\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_abrt_anon_write\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_abrt_handle_event\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_abrt_upload_watch_anon_write\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_antivirus_can_scan_system\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_antivirus_use_jit\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditadm_exec_content\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_authlogin_nsswitch_use_ldap\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_authlogin_radius\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_authlogin_yubikey\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_awstats_purge_apache_log_files\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_boinc_execmem\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_cdrecord_read_content\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_cluster_can_network_connect\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_cluster_manage_all_files\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_cluster_use_execmem\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_cobbler_anon_write\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_cobbler_can_network_connect\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_cobbler_use_cifs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_cobbler_use_nfs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_collectd_tcp_network_connect\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_condor_tcp_network_connect\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_conman_can_network\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_container_connect_any\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_cron_can_relabel\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_cron_system_cronjob_use_shares\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_cron_userdomain_transition\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_cups_execmem\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_cvs_read_shadow\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_daemons_dump_core\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_daemons_enable_cluster_mode\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_daemons_use_tcp_wrapper\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_daemons_use_tty\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_dbadm_exec_content\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_dbadm_manage_user_files\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_dbadm_read_user_files\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_deny_execmem\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_deny_ptrace\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_dhcpc_exec_iptables\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_dhcpd_use_ldap\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_domain_fd_use\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_domain_kernel_load_modules\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_entropyd_use_audio\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_exim_can_connect_db\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_exim_manage_user_files\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_exim_read_user_files\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_fcron_crond\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_fenced_can_network_connect\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_fenced_can_ssh\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_fips_mode\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ftpd_anon_write\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ftpd_connect_all_unreserved\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ftpd_connect_db\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ftpd_full_access\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ftpd_use_cifs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ftpd_use_fusefs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ftpd_use_nfs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ftpd_use_passive_mode\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_git_cgi_enable_homedirs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_git_cgi_use_cifs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_git_cgi_use_nfs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_git_session_bind_all_unreserved_ports\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_git_session_users\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_git_system_enable_homedirs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_git_system_use_cifs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_git_system_use_nfs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_gitosis_can_sendmail\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_glance_api_can_network\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_glance_use_execmem\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_glance_use_fusefs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_global_ssp\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_gluster_anon_write\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_gluster_export_all_ro\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_gluster_export_all_rw\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_gpg_web_anon_write\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_gssd_read_tmp\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_guest_exec_content\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_haproxy_connect_any\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_anon_write\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_builtin_scripting\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_can_check_spam\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_can_connect_ftp\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_can_connect_ldap\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_can_connect_mythtv\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_can_connect_zabbix\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_can_network_connect\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_can_network_connect_cobbler\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_can_network_connect_db\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_can_network_memcache\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_can_network_relay\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_can_sendmail\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_dbus_avahi\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_dbus_sssd\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_dontaudit_search_dirs\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_enable_cgi\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_enable_ftp_server\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_enable_homedirs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_execmem\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_graceful_shutdown\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_manage_ipa\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_mod_auth_ntlm_winbind\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_mod_auth_pam\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_read_user_content\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_run_ipa\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_run_preupgrade\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_run_stickshift\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_serve_cobbler_files\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_setrlimit\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_ssi_exec\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_sys_script_anon_write\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_tmp_exec\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_tty_comm\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_unified\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_use_cifs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_use_fusefs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_use_gpg\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_use_nfs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_use_openstack\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_use_sasl\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_verify_dns\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_icecast_use_any_tcp_ports\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_irc_use_any_tcp_ports\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_irssi_use_full_network\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_kdumpgui_run_bootloader\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_kerberos_enabled\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ksmtuned_use_cifs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ksmtuned_use_nfs\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_logadm_exec_content\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_logging_syslogd_can_sendmail\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_logging_syslogd_run_nagios_plugins\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_logging_syslogd_use_tty\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_login_console_enabled\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_logrotate_use_nfs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_logwatch_can_network_connect_mail\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_lsmd_plugin_connect_any\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mailman_use_fusefs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mcelog_client\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mcelog_exec_scripts\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mcelog_foreground\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mcelog_server\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_minidlna_read_generic_user_content\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mmap_low_allowed\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mock_enable_homedirs\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mount_anyfile\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mozilla_plugin_bind_unreserved_ports\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mozilla_plugin_can_network_connect\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mozilla_plugin_use_bluejeans\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mozilla_plugin_use_gps\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mozilla_plugin_use_spice\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mozilla_read_content\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mpd_enable_homedirs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mpd_use_cifs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mpd_use_nfs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mplayer_execstack\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_mysql_connect_any\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_nagios_run_pnp4nagios\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_nagios_run_sudo\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_named_tcp_bind_http_port\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_named_write_master_zones\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_neutron_can_network\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_nfs_export_all_ro\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_nfs_export_all_rw\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_nfsd_anon_write\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_nis_enabled\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_nscd_use_shm\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_openshift_use_nfs\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_openvpn_can_network_connect\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_openvpn_enable_homedirs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_openvpn_run_unconfined\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_pcp_bind_all_unreserved_ports\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_pcp_read_generic_logs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_piranha_lvs_can_network_connect\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_polipo_connect_all_unreserved\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_polipo_session_bind_all_unreserved_ports\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_polipo_session_users\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_polipo_use_cifs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_polipo_use_nfs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_polyinstantiation_enabled\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_postfix_local_write_mail_spool\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_postgresql_can_rsync\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_postgresql_selinux_transmit_client_label\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_postgresql_selinux_unconfined_dbadm\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_postgresql_selinux_users_ddl\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_pppd_can_insmod\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_pppd_for_user\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_privoxy_connect_any\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_prosody_bind_http_port\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_puppetagent_manage_all_files\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_puppetmaster_use_db\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_racoon_read_shadow\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rsync_anon_write\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rsync_client\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rsync_export_all_ro\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rsync_full_access\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_samba_create_home_dirs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_samba_domain_controller\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_samba_enable_home_dirs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_samba_export_all_ro\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_samba_export_all_rw\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_samba_load_libgfapi\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_samba_portmapper\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_samba_run_unconfined\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_samba_share_fusefs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_samba_share_nfs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sanlock_use_fusefs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sanlock_use_nfs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sanlock_use_samba\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_saslauthd_read_shadow\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_secadm_exec_content\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_secure_mode\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_secure_mode_insmod\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_secure_mode_policyload\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinuxuser_direct_dri_enabled\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinuxuser_execheap\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinuxuser_execmod\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinuxuser_execstack\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinuxuser_mysql_connect_enabled\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinuxuser_ping\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinuxuser_postgresql_connect_enabled\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinuxuser_rw_noexattrfile\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinuxuser_share_music\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinuxuser_tcp_server\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinuxuser_udp_server\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinuxuser_use_ssh_chroot\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sge_domain_can_network_connect\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sge_use_nfs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_smartmon_3ware\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_smbd_anon_write\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_spamassassin_can_network\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_spamd_enable_home_dirs\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_squid_connect_any\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_squid_use_tproxy\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ssh_chroot_rw_homedirs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ssh_keysign\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_ssh_sysadm_login\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_staff_exec_content\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_staff_use_svirt\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_swift_can_network\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sysadm_exec_content\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_telepathy_connect_all_ports\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_telepathy_tcp_connect_generic_network_ports\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_tftp_anon_write\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_tftp_home_dir\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_tmpreaper_use_nfs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_tmpreaper_use_samba\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_tor_bind_all_unreserved_ports\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_tor_can_network_relay\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_unconfined_chrome_sandbox_transition\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_unconfined_login\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_unconfined_mozilla_plugin_transition\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_unprivuser_use_svirt\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_use_ecryptfs_home_dirs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_use_fusefs_home_dirs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_use_lpd_server\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_use_nfs_home_dirs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_use_samba_home_dirs\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_user_exec_content\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_varnishd_connect_any\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_read_qemu_ga_data\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_rw_qemu_ga_data\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_sandbox_use_all_caps\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_sandbox_use_audit\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_sandbox_use_mknod\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_sandbox_use_netlink\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_sandbox_use_sys_admin\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_transition_userdomain\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_use_comm\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_use_execmem\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_use_fusefs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_use_nfs\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_use_rawip\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_use_samba\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_use_sanlock\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_use_usb\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_virt_use_xserver\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_webadm_manage_user_files\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_webadm_read_user_files\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_wine_mmap_zero_ignore\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xdm_bind_vnc_tcp_port\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xdm_exec_bootloader\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xdm_sysadm_login\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xdm_write_home\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xen_use_nfs\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xend_run_blktap\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xend_run_qemu\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xguest_connect_network\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xguest_exec_content\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xguest_mount_media\"\n },\n {\n \"text\": \"true\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xguest_use_bluetooth\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xserver_clients_write_xshm\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xserver_execmem\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_xserver_object_manager\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_zabbix_can_network\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_zarafa_setrlimit\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_zebra_write_config\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_zoneminder_anon_write\"\n },\n {\n \"text\": \"false\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_zoneminder_run_sudo\"\n },\n {\n \"text\": \"warn\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_httpd_loglevel\"\n },\n {\n \"text\": \"100\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_max_keepalive_requests\"\n },\n {\n \"text\": \"^(You[\\\\s\\\\n]+are[\\\\s\\\\n]+accessing[\\\\s\\\\n]+a[\\\\s\\\\n]+U\\\\.S\\\\.[\\\\s\\\\n]+Government[\\\\s\\\\n]+\\\\(USG\\\\)[\\\\s\\\\n]+Information[\\\\s\\\\n]+System[\\\\s\\\\n]+\\\\(IS\\\\)[\\\\s\\\\n]+that[\\\\s\\\\n]+is[\\\\s\\\\n]+provided[\\\\s\\\\n]+for[\\\\s\\\\n]+USG\\\\-authorized[\\\\s\\\\n]+use[\\\\s\\\\n]+only\\\\.[\\\\s\\\\n]+By[\\\\s\\\\n]+using[\\\\s\\\\n]+this[\\\\s\\\\n]+IS[\\\\s\\\\n]+\\\\(which[\\\\s\\\\n]+includes[\\\\s\\\\n]+any[\\\\s\\\\n]+device[\\\\s\\\\n]+attached[\\\\s\\\\n]+to[\\\\s\\\\n]+this[\\\\s\\\\n]+IS\\\\)\\\\,[\\\\s\\\\n]+you[\\\\s\\\\n]+consent[\\\\s\\\\n]+to[\\\\s\\\\n]+the[\\\\s\\\\n]+following[\\\\s\\\\n]+conditions\\\\:(?:[\\\\n]+|(?:\\\\\\\\n)+)\\\\-The[\\\\s\\\\n]+USG[\\\\s\\\\n]+routinely[\\\\s\\\\n]+intercepts[\\\\s\\\\n]+and[\\\\s\\\\n]+monitors[\\\\s\\\\n]+communications[\\\\s\\\\n]+on[\\\\s\\\\n]+this[\\\\s\\\\n]+IS[\\\\s\\\\n]+for[\\\\s\\\\n]+purposes[\\\\s\\\\n]+including\\\\,[\\\\s\\\\n]+but[\\\\s\\\\n]+not[\\\\s\\\\n]+limited[\\\\s\\\\n]+to\\\\,[\\\\s\\\\n]+penetration[\\\\s\\\\n]+testing\\\\,[\\\\s\\\\n]+COMSEC[\\\\s\\\\n]+monitoring\\\\,[\\\\s\\\\n]+network[\\\\s\\\\n]+operations[\\\\s\\\\n]+and[\\\\s\\\\n]+defense\\\\,[\\\\s\\\\n]+personnel[\\\\s\\\\n]+misconduct[\\\\s\\\\n]+\\\\(PM\\\\)\\\\,[\\\\s\\\\n]+law[\\\\s\\\\n]+enforcement[\\\\s\\\\n]+\\\\(LE\\\\)\\\\,[\\\\s\\\\n]+and[\\\\s\\\\n]+counterintelligence[\\\\s\\\\n]+\\\\(CI\\\\)[\\\\s\\\\n]+investigations\\\\.(?:[\\\\n]+|(?:\\\\\\\\n)+)\\\\-At[\\\\s\\\\n]+any[\\\\s\\\\n]+time\\\\,[\\\\s\\\\n]+the[\\\\s\\\\n]+USG[\\\\s\\\\n]+may[\\\\s\\\\n]+inspect[\\\\s\\\\n]+and[\\\\s\\\\n]+seize[\\\\s\\\\n]+data[\\\\s\\\\n]+stored[\\\\s\\\\n]+on[\\\\s\\\\n]+this[\\\\s\\\\n]+IS\\\\.(?:[\\\\n]+|(?:\\\\\\\\n)+)\\\\-Communications[\\\\s\\\\n]+using\\\\,[\\\\s\\\\n]+or[\\\\s\\\\n]+data[\\\\s\\\\n]+stored[\\\\s\\\\n]+on\\\\,[\\\\s\\\\n]+this[\\\\s\\\\n]+IS[\\\\s\\\\n]+are[\\\\s\\\\n]+not[\\\\s\\\\n]+private\\\\,[\\\\s\\\\n]+are[\\\\s\\\\n]+subject[\\\\s\\\\n]+to[\\\\s\\\\n]+routine[\\\\s\\\\n]+monitoring\\\\,[\\\\s\\\\n]+interception\\\\,[\\\\s\\\\n]+and[\\\\s\\\\n]+search\\\\,[\\\\s\\\\n]+and[\\\\s\\\\n]+may[\\\\s\\\\n]+be[\\\\s\\\\n]+disclosed[\\\\s\\\\n]+or[\\\\s\\\\n]+used[\\\\s\\\\n]+for[\\\\s\\\\n]+any[\\\\s\\\\n]+USG\\\\-authorized[\\\\s\\\\n]+purpose\\\\.(?:[\\\\n]+|(?:\\\\\\\\n)+)\\\\-This[\\\\s\\\\n]+IS[\\\\s\\\\n]+includes[\\\\s\\\\n]+security[\\\\s\\\\n]+measures[\\\\s\\\\n]+\\\\(e\\\\.g\\\\.\\\\,[\\\\s\\\\n]+authentication[\\\\s\\\\n]+and[\\\\s\\\\n]+access[\\\\s\\\\n]+controls\\\\)[\\\\s\\\\n]+to[\\\\s\\\\n]+protect[\\\\s\\\\n]+USG[\\\\s\\\\n]+interests\\\\-\\\\-not[\\\\s\\\\n]+for[\\\\s\\\\n]+your[\\\\s\\\\n]+personal[\\\\s\\\\n]+benefit[\\\\s\\\\n]+or[\\\\s\\\\n]+privacy\\\\.(?:[\\\\n]+|(?:\\\\\\\\n)+)\\\\-Notwithstanding[\\\\s\\\\n]+the[\\\\s\\\\n]+above\\\\,[\\\\s\\\\n]+using[\\\\s\\\\n]+this[\\\\s\\\\n]+IS[\\\\s\\\\n]+does[\\\\s\\\\n]+not[\\\\s\\\\n]+constitute[\\\\s\\\\n]+consent[\\\\s\\\\n]+to[\\\\s\\\\n]+PM\\\\,[\\\\s\\\\n]+LE[\\\\s\\\\n]+or[\\\\s\\\\n]+CI[\\\\s\\\\n]+investigative[\\\\s\\\\n]+searching[\\\\s\\\\n]+or[\\\\s\\\\n]+monitoring[\\\\s\\\\n]+of[\\\\s\\\\n]+the[\\\\s\\\\n]+content[\\\\s\\\\n]+of[\\\\s\\\\n]+privileged[\\\\s\\\\n]+communications\\\\,[\\\\s\\\\n]+or[\\\\s\\\\n]+work[\\\\s\\\\n]+product\\\\,[\\\\s\\\\n]+related[\\\\s\\\\n]+to[\\\\s\\\\n]+personal[\\\\s\\\\n]+representation[\\\\s\\\\n]+or[\\\\s\\\\n]+services[\\\\s\\\\n]+by[\\\\s\\\\n]+attorneys\\\\,[\\\\s\\\\n]+psychotherapists\\\\,[\\\\s\\\\n]+or[\\\\s\\\\n]+clergy\\\\,[\\\\s\\\\n]+and[\\\\s\\\\n]+their[\\\\s\\\\n]+assistants\\\\.[\\\\s\\\\n]+Such[\\\\s\\\\n]+communications[\\\\s\\\\n]+and[\\\\s\\\\n]+work[\\\\s\\\\n]+product[\\\\s\\\\n]+are[\\\\s\\\\n]+private[\\\\s\\\\n]+and[\\\\s\\\\n]+confidential\\\\.[\\\\s\\\\n]+See[\\\\s\\\\n]+User[\\\\s\\\\n]+Agreement[\\\\s\\\\n]+for[\\\\s\\\\n]+details\\\\.|I've[\\\\s\\\\n]+read[\\\\s\\\\n]+\\\\&[\\\\s\\\\n]+consent[\\\\s\\\\n]+to[\\\\s\\\\n]+terms[\\\\s\\\\n]+in[\\\\s\\\\n]+IS[\\\\s\\\\n]+user[\\\\s\\\\n]+agreem't\\\\.)$\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_web_login_banner_text\"\n },\n {\n \"text\": \"loopback-only\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_postfix_inet_interfaces\"\n },\n {\n \"text\": \"smtp.$mydomain\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_postfix_relayhost\"\n },\n {\n \"text\": \"system.administrator@mail.mil\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias\"\n },\n {\n \"text\": \"0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_multiple_time_servers\"\n },\n {\n \"text\": \"10\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll\"\n },\n {\n \"text\": \"/var/lib/tftpboot\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_tftpd_secure_directory\"\n },\n {\n \"text\": \"changemero\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_snmpd_ro_string\"\n },\n {\n \"text\": \"changemerw\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_snmpd_rw_string\"\n },\n {\n \"text\": \"public\",\n \"idref\": \"xccdf_org.ssgproject.content_value_firewalld_sshd_zone\"\n },\n {\n \"text\": \"aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sshd_approved_ciphers\"\n },\n {\n \"text\": \"hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sshd_approved_macs\"\n },\n {\n \"text\": \"300\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sshd_idle_timeout_value\"\n },\n {\n \"text\": \"22\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sshd_listening_port\"\n },\n {\n \"text\": \"4\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n {\n \"text\": \"ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256\",\n \"idref\": \"xccdf_org.ssgproject.content_value_sshd_strong_kex\"\n },\n {\n \"text\": \"10\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_max_sessions\"\n },\n {\n \"text\": \"0\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_set_keepalive\"\n },\n {\n \"text\": \"512M\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rekey_limit_size\"\n },\n {\n \"text\": \"1h\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rekey_limit_time\"\n },\n {\n \"text\": \"no\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_disable_compression\"\n },\n {\n \"text\": \"sandbox\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_priv_separation\"\n },\n {\n \"text\": \"60\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_set_login_grace_time\"\n },\n {\n \"text\": \"10:30:100\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_set_maxstartups\"\n },\n {\n \"text\": \"sha1\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sssd_certificate_verification_digest_function\"\n },\n {\n \"text\": \"300\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sssd_memcache_timeout\"\n },\n {\n \"text\": \"180\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sssd_ssh_known_hosts_timeout\"\n },\n {\n \"text\": \"/etc/openldap/cacerts\",\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sssd_ldap_tls_ca_dir\"\n }\n ],\n \"TestResult.target\": \"localhost.localdomain\",\n \"TestResult.target-facts\": {\n \"fact\": [\n {\n \"text\": \"OpenSCAP\",\n \"name\": \"urn:xccdf:fact:scanner:name\",\n \"type\": \"string\"\n },\n {\n \"text\": \"1.3.8\",\n \"name\": \"urn:xccdf:fact:scanner:version\",\n \"type\": \"string\"\n },\n {\n \"text\": \"localhost.localdomain\",\n \"name\": \"urn:xccdf:fact:asset:identifier:host_name\",\n \"type\": \"string\"\n },\n {\n \"text\": \"podman-image://5d2df19066aca89df8e5317544a1cb599dc657830184762ff6fdefaaf708db65 [docker.io/library/ubuntu:18.04]\",\n \"name\": \"urn:xccdf:fact:identifier\",\n \"type\": \"string\"\n },\n {\n \"text\": \"podman-image://5d2df19066aca89df8e5317544a1cb599dc657830184762ff6fdefaaf708db65 [docker.io/library/ubuntu:18.04]\",\n \"name\": \"urn:xccdf:fact:asset:identifier:ein\",\n \"type\": \"string\"\n }\n ]\n },\n \"TestResult.test-system\": \"cpe:/a:redhat:openscap:1.3.8\",\n \"TestResult.title\": \"OSCAP Scan Result\",\n \"TestResult.version\": \"0.1.66\"\n}",
+ "license": "terms_of_use",
+ "copyright": "SCAP Security Guide Project",
+ "copyright_email": "disa.stig_spt@mail.mil",
+ "supports": [],
+ "attributes": [],
+ "groups": [],
+ "status": "loaded",
+ "controls": [
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "AC-17 a.",
+ "AC-17 (2)",
+ "CM-6 a.",
+ "MA-4 (6)",
+ "SC-13"
+ ],
+ "severity": "medium",
+ "description": "Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client.\nTo override the system wide crypto policy for Openssh client, place a file in theso that it is loaded before the. In this case it is file namedcontaining parameters which need to be changed with respect to the crypto policy.\nThis rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy.\nDuring the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.",
+ "group_id": "xccdf_org.ssgproject.content_group_crypto",
+ "group_title": "System Cryptographic Policies",
+ "group_description": "Linux has the capability to centrally configure cryptographic polices. The commandis used to set the policy applicable for the various\ncryptographic back-ends, such as SSL/TLS libraries. The configured cryptographic\npolicies will be the default policy used by these backends unless the application\nuser configures them otherwise. When the system has been configured to use the\ncentralized cryptographic policies, the administrator is assured that any application\nthat utilizes the supported backends will follow a policy that adheres to the\nconfigured profile.\n\nCurrently the supported backends are:Applications and languages which rely on any of these backends will follow the\nsystem policies as well. Examples are apache httpd, nginx, php, and others.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-harden_ssh_client_crypto_policy:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-harden_ssh_client_crypto_policy_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "harden_ssh_client_crypto_policy",
+ "reference": {
+ "references": [
+ {
+ "text": "CIP-003-8 R4.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R7.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "MA-4(6)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-13",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "FCS_SSHC_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000033-GPOS-00014",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000250-GPOS-00093",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000393-GPOS-00173",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000394-GPOS-00174",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CIP-003-8 R4.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R7.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "MA-4(6)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-13",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "FCS_SSHC_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000033-GPOS-00014",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000250-GPOS-00093",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000393-GPOS-00173",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000394-GPOS-00174",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Harden SSH client Crypto Policy",
+ "id": "xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy",
+ "desc": "Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client.\nTo override the system wide crypto policy for Openssh client, place a file in theso that it is loaded before the. In this case it is file namedcontaining parameters which need to be changed with respect to the crypto policy.\nThis rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy.\nDuring the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.",
+ "descriptions": [
+ {
+ "data": "#the file starts with 02 so that it is loaded before the 05-redhat.conf which activates configuration provided by system vide crypto policy\nfile=\"/etc/ssh/ssh_config.d/02-ospp.conf\"\necho -e \"Match final all\\n\\\nRekeyLimit 512M 1h\\n\\\nGSSAPIAuthentication no\\n\\\nCiphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc\\n\\\nPubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256\\n\\\nMACs hmac-sha2-512,hmac-sha2-256\\n\\\nKexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1\\n\" > \"$file\"",
+ "label": "fix"
+ },
+ {
+ "data": "The Common Criteria requirements specify how certain parameters for OpenSSH Client are configured. Particular parameters are RekeyLimit, GSSAPIAuthentication, Ciphers, PubkeyAcceptedKeyTypes, MACs and KexAlgorithms. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Harden SSH client Crypto Policy\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/ssh/ssh_config.d/\",\n \"05-redhat.conf\",\n \"02-ospp.conf\"\n ],\n \"text\": \"Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client.\\nTo override the system wide crypto policy for Openssh client, place a file in theso that it is loaded before the. In this case it is file namedcontaining parameters which need to be changed with respect to the crypto policy.\\nThis rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy.\\nDuring the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CIP-003-8 R4.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R7.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"MA-4(6)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-13\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"FCS_SSHC_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000033-GPOS-00014\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000250-GPOS-00093\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000393-GPOS-00173\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000394-GPOS-00174\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"The Common Criteria requirements specify how certain parameters for OpenSSH Client are configured. Particular parameters are RekeyLimit, GSSAPIAuthentication, Ciphers, PubkeyAcceptedKeyTypes, MACs and KexAlgorithms. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"#the file starts with 02 so that it is loaded before the 05-redhat.conf which activates configuration provided by system vide crypto policy\\nfile=\\\"/etc/ssh/ssh_config.d/02-ospp.conf\\\"\\necho -e \\\"Match final all\\\\n\\\\\\nRekeyLimit 512M 1h\\\\n\\\\\\nGSSAPIAuthentication no\\\\n\\\\\\nCiphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc\\\\n\\\\\\nPubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256\\\\n\\\\\\nMACs hmac-sha2-512,hmac-sha2-256\\\\n\\\\\\nKexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1\\\\n\\\" > \\\"$file\\\"\",\n \"id\": \"harden_ssh_client_crypto_policy\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-harden_ssh_client_crypto_policy:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-harden_ssh_client_crypto_policy_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client.\nTo override the system wide crypto policy for Openssh client, place a file in theso that it is loaded before the. In this case it is file namedcontaining parameters which need to be changed with respect to the crypto policy.\nThis rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy.\nDuring the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000803",
+ "CCI-002450"
+ ],
+ "nist": [
+ "IA-7",
+ "SC-13 b",
+ "SC-12 (2)",
+ "SC-12 (3)",
+ "SC-13",
+ "CM-6 a.",
+ "SC-12"
+ ],
+ "severity": "high",
+ "description": "To enable processing of sensitive information the operating system must\nprovide certified cryptographic modules compliant with FIPS 140-2\nstandard.\n\nUbuntu Linux is supported by Canonical Ltd. As the Ubuntu Linux Vendor, Canonical Ltd. is\nresponsible for government certifications and standards.\n\nUsers of Ubuntu Linux either need an Ubuntu Advantage subscription or need\nto be using Ubuntu Pro from a sponsored vendor in order to have access to\nFIPS content supported by Canonical.",
+ "group_id": "xccdf_org.ssgproject.content_group_certified-vendor",
+ "group_title": "Operating System Vendor Support and Certification",
+ "group_description": "The assurance of a vendor to provide operating system support and maintenance\nfor their product is an important criterion to ensure product stability and\nsecurity over the life of the product. A certified product that follows the\nnecessary standards and government certification requirements guarantees that\nknown software vulnerabilities will be remediated, and proper guidance for\nprotecting and securing the operating system will be given.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_installed_OS_is_FIPS_certified",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-installed_OS_is_FIPS_certified:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-installed_OS_is_FIPS_certified_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000803",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002450",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CIP-003-8 R4.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "SC-12(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-12(3)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "IA-7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-13",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000120-VMM-000600",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000478-VMM-001980",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000396-VMM-001590",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_installed_OS_is_FIPS_certified",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000803",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002450",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CIP-003-8 R4.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "SC-12(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-12(3)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "IA-7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-13",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000120-VMM-000600"
+ },
+ {
+ "ref": "SRG-OS-000478-VMM-001980"
+ },
+ {
+ "ref": "SRG-OS-000396-VMM-001590"
+ }
+ ],
+ "source_location": {},
+ "title": "The Installed Operating System Is FIPS 140-2 Certified",
+ "id": "xccdf_org.ssgproject.content_rule_installed_OS_is_FIPS_certified",
+ "desc": "To enable processing of sensitive information the operating system must\nprovide certified cryptographic modules compliant with FIPS 140-2\nstandard.\n\nUbuntu Linux is supported by Canonical Ltd. As the Ubuntu Linux Vendor, Canonical Ltd. is\nresponsible for government certifications and standards.\n\nUsers of Ubuntu Linux either need an Ubuntu Advantage subscription or need\nto be using Ubuntu Pro from a sponsored vendor in order to have access to\nFIPS content supported by Canonical.",
+ "descriptions": [
+ {
+ "data": "The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS\nPUB 140-2) is a computer security standard. The standard specifies security\nrequirements for cryptographic modules used to protect sensitive\nunclassified information. Refer to the full FIPS 140-2 standard atfor further details on the requirements.\nFIPS 140-2 validation is required by U.S. law when information systems use\ncryptography to protect sensitive government information. In order to\nachieve FIPS 140-2 certification, cryptographic modules are subject to\nextensive testing by independent laboratories, accredited by National\nInstitute of Standards and Technology (NIST).",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"The Installed Operating System Is FIPS 140-2 Certified\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"To enable processing of sensitive information the operating system must\\nprovide certified cryptographic modules compliant with FIPS 140-2\\nstandard.\\n\\nUbuntu Linux is supported by Canonical Ltd. As the Ubuntu Linux Vendor, Canonical Ltd. is\\nresponsible for government certifications and standards.\\n\\nUsers of Ubuntu Linux either need an Ubuntu Advantage subscription or need\\nto be using Ubuntu Pro from a sponsored vendor in order to have access to\\nFIPS content supported by Canonical.\",\n \"lang\": \"en-US\"\n },\n \"warning\": [\n {\n \"text\": \"There is no remediation besides switching to a different operating system.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n {\n \"b\": {\n \"a\": {\n \"text\": \"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf\"\n }\n },\n \"text\": \"System Crypto Modules must be provided by a vendor that undergoes\\nFIPS-140 certifications.\\nFIPS-140 is applicable to all Federal agencies that use\\ncryptographic-based security systems to protect sensitive information\\nin computer and telecommunication systems (including voice systems) as\\ndefined in Section 5131 of the Information Technology Management Reform\\nAct of 1996, Public Law 104-106. This standard shall be used in\\ndesigning and implementing cryptographic modules that Federal\\ndepartments and agencies operate or are operated for them under\\ncontract. SeeTo meet this, the system has to have cryptographic software provided by\\na vendor that has undergone this certification. This means providing\\ndocumentation, test results, design information, and independent third\\nparty review by an accredited lab. While open source software is\\ncapable of meeting this, it does not meet FIPS-140 unless the vendor\\nsubmits to this process.\",\n \"lang\": \"en-US\",\n \"category\": \"regulatory\"\n }\n ],\n \"reference\": [\n {\n \"text\": \"CCI-000803\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002450\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CIP-003-8 R4.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"SC-12(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-12(3)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"IA-7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-13\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000120-VMM-000600\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000478-VMM-001980\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000396-VMM-001590\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"a\": {\n \"text\": \"http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf\",\n \"href\": \"http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf\"\n },\n \"text\": \"The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS\\nPUB 140-2) is a computer security standard. The standard specifies security\\nrequirements for cryptographic modules used to protect sensitive\\nunclassified information. Refer to the full FIPS 140-2 standard atfor further details on the requirements.\\nFIPS 140-2 validation is required by U.S. law when information systems use\\ncryptography to protect sensitive government information. In order to\\nachieve FIPS 140-2 certification, cryptographic modules are subject to\\nextensive testing by independent laboratories, accredited by National\\nInstitute of Standards and Technology (NIST).\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-installed_OS_is_FIPS_certified:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-installed_OS_is_FIPS_certified_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_installed_OS_is_FIPS_certified\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To enable processing of sensitive information the operating system must\nprovide certified cryptographic modules compliant with FIPS 140-2\nstandard.\n\nUbuntu Linux is supported by Canonical Ltd. As the Ubuntu Linux Vendor, Canonical Ltd. is\nresponsible for government certifications and standards.\n\nUsers of Ubuntu Linux either need an Ubuntu Advantage subscription or need\nto be using Ubuntu Pro from a sponsored vendor in order to have access to\nFIPS content supported by Canonical.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366",
+ "CCI-001233",
+ "CCI-001263"
+ ],
+ "nist": [
+ "CM-6 b",
+ "SI-2 (2)",
+ "SI-4 (5)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely\nnecessary. If SELinux is enabled, do not install or enable this module.",
+ "group_id": "xccdf_org.ssgproject.content_group_mcafee_hbss_software",
+ "group_title": "McAfee Host-Based Intrusion Detection Software (HBSS)",
+ "group_description": "McAfee Host-based Security System (HBSS) is a suite of software applications\nused to monitor, detect, and defend computer networks and systems.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_MFEhiplsm_installed",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_MFEhiplsm_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "package_MFEhiplsm_installed",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO07.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO08.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS04.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA03.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA03.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001233",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001263",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.2.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.2.3.12",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.2.3.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.2.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.3.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.8",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "Clause 16.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "Clause 7.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.DP-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.DP-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.DP-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.DP-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.RA-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-8",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.CO-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-11.4",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000191-GPOS-00080",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000196",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_MFEhiplsm_installed",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO07.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO08.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS04.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA03.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA03.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001233",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001263",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.2.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.2.3.12",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.2.3.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.2.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.3.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.8",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "Clause 16.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "Clause 7.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.DP-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.DP-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.DP-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.DP-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.RA-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-8",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.CO-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-11.4",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000191-GPOS-00080",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000196",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Install the Host Intrusion Prevention System (HIPS) Module",
+ "id": "xccdf_org.ssgproject.content_rule_package_MFEhiplsm_installed",
+ "desc": "Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely\nnecessary. If SELinux is enabled, do not install or enable this module.",
+ "descriptions": [
+ {
+ "data": "[[packages]]\nname = \"MFEhiplsm\"\nversion = \"*\"",
+ "label": "fix"
+ },
+ {
+ "data": "Without a host-based intrusion detection tool, there is no system-level defense\nwhen an intruder gains access to a system or network. Additionally, a host-based\nintrusion prevention tool can provide methods to immediately lock out detected\nintrusion attempts.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Install the Host Intrusion Prevention System (HIPS) Module\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely\\nnecessary. If SELinux is enabled, do not install or enable this module.\",\n \"lang\": \"en-US\"\n },\n \"warning\": [\n {\n \"text\": \"Installing and enabling this module conflicts with SELinux.\\nPer DoD/DISA guidance, SELinux takes precedence over this module.\",\n \"lang\": \"en-US\",\n \"category\": \"functionality\"\n },\n {\n \"text\": \"Due to McAfee HIPS being 3rd party software, automated\\nremediation is not available for this configuration check.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n }\n ],\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO07.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO08.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS04.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA03.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA03.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001233\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001263\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.2.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.2.3.12\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.2.3.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.2.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.3.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.8\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"Clause 16.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"Clause 7.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.DP-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.DP-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.DP-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.DP-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.RA-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-8\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.CO-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-11.4\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000191-GPOS-00080\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000196\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Without a host-based intrusion detection tool, there is no system-level defense\\nwhen an intruder gains access to a system or network. Additionally, a host-based\\nintrusion prevention tool can provide methods to immediately lock out detected\\nintrusion attempts.\",\n \"lang\": \"en-US\"\n },\n \"conflicts\": {\n \"idref\": \"xccdf_org.ssgproject.content_rule_selinux_state\"\n },\n \"fix\": {\n \"text\": \"[[packages]]\\nname = \\\"MFEhiplsm\\\"\\nversion = \\\"*\\\"\",\n \"id\": \"package_MFEhiplsm_installed\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_MFEhiplsm_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_package_MFEhiplsm_installed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely\nnecessary. If SELinux is enabled, do not install or enable this module.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "The operating system must conduct backups of user data contained\nin the operating system. The operating system provides utilities for\nautomating backups of user data. Commercial and open-source products\nare also available.",
+ "group_id": "xccdf_org.ssgproject.content_group_endpoint_security_software",
+ "group_title": "Endpoint Protection Software",
+ "group_description": "Endpoint protection security software that is not provided or supported\n\nby Red Hat can be installed to provide complementary or duplicative\n\nsecurity capabilities to those provided by the base platform. Add-on\nsoftware may not be appropriate for some specialized systems.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_configure_user_data_backups",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-configure_user_data_backups_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_configure_user_data_backups",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Configure Backups of User Data",
+ "id": "xccdf_org.ssgproject.content_rule_configure_user_data_backups",
+ "desc": "The operating system must conduct backups of user data contained\nin the operating system. The operating system provides utilities for\nautomating backups of user data. Commercial and open-source products\nare also available.",
+ "descriptions": [
+ {
+ "data": "ocil:ssg-configure_user_data_backups_ocil:questionnaire:1",
+ "label": "check"
+ },
+ {
+ "data": "Operating system backup is a critical step in maintaining data assurance and\navailability. User-level information is data generated by information system\nand/or application users. Backups shall be consistent with organizational\nrecovery time and recovery point objectives.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure Backups of User Data\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"The operating system must conduct backups of user data contained\\nin the operating system. The operating system provides utilities for\\nautomating backups of user data. Commercial and open-source products\\nare also available.\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"Operating system backup is a critical step in maintaining data assurance and\\navailability. User-level information is data generated by information system\\nand/or application users. Backups shall be consistent with organizational\\nrecovery time and recovery point objectives.\",\n \"lang\": \"en-US\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-configure_user_data_backups_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_configure_user_data_backups\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The operating system must conduct backups of user data contained\nin the operating system. The operating system provides utilities for\nautomating backups of user data. Commercial and open-source products\nare also available.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366",
+ "CCI-001208"
+ ],
+ "nist": [
+ "CM-6 b",
+ "SC-32",
+ "CM-6 a.",
+ "SC-5 (2)"
+ ],
+ "severity": "low",
+ "description": "If user home directories will be stored locally, create a separate partition\nforat installation time (or migrate it later using LVM). Ifwill be mounted from another system such as an NFS server, then\ncreating a separate partition is not necessary at installation time, and the\nmountpoint can instead be configured later.",
+ "group_id": "xccdf_org.ssgproject.content_group_disk_partitioning",
+ "group_title": "Disk Partitioning",
+ "group_description": "To ensure separation and protection of data, there\nare top-level system directories which should be placed on their\nown physical partition or logical volume. The installer's default\npartitioning scheme creates separate logical volumes for,, and.If a system has already been installed, and the default\npartitioning\nscheme was used, it is possible but nontrivial to\nmodify it to create separate logical volumes for the directories\nlisted above. The Logical Volume Manager (LVM) makes this possible.\nSee the LVM HOWTO atfor more detailed information on LVM.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_partition_for_home",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_home:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_home_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R12)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001208",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.12",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_partition_for_home",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R12)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001208",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.12",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure /home Located On Separate Partition",
+ "id": "xccdf_org.ssgproject.content_rule_partition_for_home",
+ "desc": "If user home directories will be stored locally, create a separate partition\nforat installation time (or migrate it later using LVM). Ifwill be mounted from another system such as an NFS server, then\ncreating a separate partition is not necessary at installation time, and the\nmountpoint can instead be configured later.",
+ "descriptions": [
+ {
+ "data": "Ensuring thatis mounted on its own partition enables the\nsetting of more restrictive mount options, and also helps ensure that\nusers cannot trivially fill partitions used for log or audit data storage.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure /home Located On Separate Partition\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/home\",\n \"/home\"\n ],\n \"text\": \"If user home directories will be stored locally, create a separate partition\\nforat installation time (or migrate it later using LVM). Ifwill be mounted from another system such as an NFS server, then\\ncreating a separate partition is not necessary at installation time, and the\\nmountpoint can instead be configured later.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R12)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001208\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.12\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": \"/home\",\n \"text\": \"Ensuring thatis mounted on its own partition enables the\\nsetting of more restrictive mount options, and also helps ensure that\\nusers cannot trivially fill partitions used for log or audit data storage.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_home:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_home_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_partition_for_home\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If user home directories will be stored locally, create a separate partition\nforat installation time (or migrate it later using LVM). Ifwill be mounted from another system such as an NFS server, then\ncreating a separate partition is not necessary at installation time, and the\nmountpoint can instead be configured later.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "unknown",
+ "description": "If a file server (FTP, TFTP...) is hosted locally, create a separate partition\nforat installation time (or migrate it later using LVM). Ifwill be mounted from another system such as an NFS server, then\ncreating a separate partition is not necessary at installation time, and the\nmountpoint can instead be configured later.",
+ "group_id": "xccdf_org.ssgproject.content_group_disk_partitioning",
+ "group_title": "Disk Partitioning",
+ "group_description": "To ensure separation and protection of data, there\nare top-level system directories which should be placed on their\nown physical partition or logical volume. The installer's default\npartitioning scheme creates separate logical volumes for,, and.If a system has already been installed, and the default\npartitioning\nscheme was used, it is possible but nontrivial to\nmodify it to create separate logical volumes for the directories\nlisted above. The Logical Volume Manager (LVM) makes this possible.\nSee the LVM HOWTO atfor more detailed information on LVM.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_partition_for_srv",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_srv:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_srv_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "BP28(R12)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_partition_for_srv",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/",
+ "ref": [
+ {
+ "text": "BP28(R12)"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure /srv Located On Separate Partition",
+ "id": "xccdf_org.ssgproject.content_rule_partition_for_srv",
+ "desc": "If a file server (FTP, TFTP...) is hosted locally, create a separate partition\nforat installation time (or migrate it later using LVM). Ifwill be mounted from another system such as an NFS server, then\ncreating a separate partition is not necessary at installation time, and the\nmountpoint can instead be configured later.",
+ "descriptions": [
+ {
+ "data": "Srv deserves files for local network file server such as FTP. Ensuring\nthatis mounted on its own partition enables the setting of\nmore restrictive mount options, and also helps ensure that\nusers cannot trivially fill partitions used for log or audit data storage.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure /srv Located On Separate Partition\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/srv\",\n \"/srv\"\n ],\n \"text\": \"If a file server (FTP, TFTP...) is hosted locally, create a separate partition\\nforat installation time (or migrate it later using LVM). Ifwill be mounted from another system such as an NFS server, then\\ncreating a separate partition is not necessary at installation time, and the\\nmountpoint can instead be configured later.\",\n \"lang\": \"en-US\"\n },\n \"reference\": {\n \"text\": \"BP28(R12)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n \"rationale\": {\n \"code\": \"/srv\",\n \"text\": \"Srv deserves files for local network file server such as FTP. Ensuring\\nthatis mounted on its own partition enables the setting of\\nmore restrictive mount options, and also helps ensure that\\nusers cannot trivially fill partitions used for log or audit data storage.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_srv:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_srv_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_partition_for_srv\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If a file server (FTP, TFTP...) is hosted locally, create a separate partition\nforat installation time (or migrate it later using LVM). Ifwill be mounted from another system such as an NFS server, then\ncreating a separate partition is not necessary at installation time, and the\nmountpoint can instead be configured later.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6 a.",
+ "SC-5 (2)"
+ ],
+ "severity": "low",
+ "description": "Thedirectory is a world-writable directory used\nfor temporary file storage. Ensure it has its own partition or\nlogical volume at installation time, or migrate it using LVM.",
+ "group_id": "xccdf_org.ssgproject.content_group_disk_partitioning",
+ "group_title": "Disk Partitioning",
+ "group_description": "To ensure separation and protection of data, there\nare top-level system directories which should be placed on their\nown physical partition or logical volume. The installer's default\npartitioning scheme creates separate logical volumes for,, and.If a system has already been installed, and the default\npartitioning\nscheme was used, it is possible but nontrivial to\nmodify it to create separate logical volumes for the directories\nlisted above. The Logical Volume Manager (LVM) makes this possible.\nSee the LVM HOWTO atfor more detailed information on LVM.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_partition_for_tmp",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_tmp:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_tmp_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R12)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.2",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_partition_for_tmp",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R12)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.2",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure /tmp Located On Separate Partition",
+ "id": "xccdf_org.ssgproject.content_rule_partition_for_tmp",
+ "desc": "Thedirectory is a world-writable directory used\nfor temporary file storage. Ensure it has its own partition or\nlogical volume at installation time, or migrate it using LVM.",
+ "descriptions": [
+ {
+ "data": "Thepartition is used as temporary storage by many programs.\nPlacingin its own partition enables the setting of more\nrestrictive mount options, which can help protect programs which use it.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure /tmp Located On Separate Partition\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/tmp\",\n \"text\": \"Thedirectory is a world-writable directory used\\nfor temporary file storage. Ensure it has its own partition or\\nlogical volume at installation time, or migrate it using LVM.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R12)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.2\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/tmp\",\n \"/tmp\"\n ],\n \"text\": \"Thepartition is used as temporary storage by many programs.\\nPlacingin its own partition enables the setting of more\\nrestrictive mount options, which can help protect programs which use it.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_tmp:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_tmp_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_partition_for_tmp\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Thedirectory is a world-writable directory used\nfor temporary file storage. Ensure it has its own partition or\nlogical volume at installation time, or migrate it using LVM.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6 a.",
+ "SC-5 (2)"
+ ],
+ "severity": "low",
+ "description": "Thedirectory is used by daemons and other system\nservices to store frequently-changing data. Ensure thathas its own partition\nor logical volume at installation time, or migrate it using LVM.",
+ "group_id": "xccdf_org.ssgproject.content_group_disk_partitioning",
+ "group_title": "Disk Partitioning",
+ "group_description": "To ensure separation and protection of data, there\nare top-level system directories which should be placed on their\nown physical partition or logical volume. The installer's default\npartitioning scheme creates separate logical volumes for,, and.If a system has already been installed, and the default\npartitioning\nscheme was used, it is possible but nontrivial to\nmodify it to create separate logical volumes for the directories\nlisted above. The Logical Volume Manager (LVM) makes this possible.\nSee the LVM HOWTO atfor more detailed information on LVM.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_partition_for_var",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_var:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_var_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R12)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000341-VMM-001220",
+ "href": ""
+ },
+ {
+ "text": "1.1.5",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_partition_for_var",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R12)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000341-VMM-001220"
+ },
+ {
+ "ref": "1.1.5",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure /var Located On Separate Partition",
+ "id": "xccdf_org.ssgproject.content_rule_partition_for_var",
+ "desc": "Thedirectory is used by daemons and other system\nservices to store frequently-changing data. Ensure thathas its own partition\nor logical volume at installation time, or migrate it using LVM.",
+ "descriptions": [
+ {
+ "data": "Ensuring thatis mounted on its own partition enables the\nsetting of more restrictive mount options. This helps protect\nsystem services such as daemons or other programs which use it.\nIt is not uncommon for thedirectory to contain\nworld-writable directories installed by other software packages.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure /var Located On Separate Partition\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/var\",\n \"/var\"\n ],\n \"text\": \"Thedirectory is used by daemons and other system\\nservices to store frequently-changing data. Ensure thathas its own partition\\nor logical volume at installation time, or migrate it using LVM.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R12)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000341-VMM-001220\",\n \"href\": \"\"\n },\n {\n \"text\": \"1.1.5\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/var\",\n \"/var\"\n ],\n \"text\": \"Ensuring thatis mounted on its own partition enables the\\nsetting of more restrictive mount options. This helps protect\\nsystem services such as daemons or other programs which use it.\\nIt is not uncommon for thedirectory to contain\\nworld-writable directories installed by other software packages.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_var:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_var_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_partition_for_var\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Thedirectory is used by daemons and other system\nservices to store frequently-changing data. Ensure thathas its own partition\nor logical volume at installation time, or migrate it using LVM.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6 a.",
+ "AU-4",
+ "SC-5 (2)"
+ ],
+ "severity": "low",
+ "description": "System logs are stored in thedirectory.\n\nEnsure thathas its own partition or logical\nvolume at installation time, or migrate it using LVM.",
+ "group_id": "xccdf_org.ssgproject.content_group_disk_partitioning",
+ "group_title": "Disk Partitioning",
+ "group_description": "To ensure separation and protection of data, there\nare top-level system directories which should be placed on their\nown physical partition or logical volume. The installer's default\npartitioning scheme creates separate logical volumes for,, and.If a system has already been installed, and the default\npartitioning\nscheme was used, it is possible but nontrivial to\nmodify it to create separate logical volumes for the directories\nlisted above. The Logical Volume Manager (LVM) makes this possible.\nSee the LVM HOWTO atfor more detailed information on LVM.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_partition_for_var_log",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_var_log:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_var_log_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R12)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "BP28(R47)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-007-3 R6.5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-4",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.10",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_partition_for_var_log",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R12)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "BP28(R47)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-007-3 R6.5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-4",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.10",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure /var/log Located On Separate Partition",
+ "id": "xccdf_org.ssgproject.content_rule_partition_for_var_log",
+ "desc": "System logs are stored in thedirectory.\n\nEnsure thathas its own partition or logical\nvolume at installation time, or migrate it using LVM.",
+ "descriptions": [
+ {
+ "data": "Placingin its own partition\nenables better separation between log files\nand other files in.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure /var/log Located On Separate Partition\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/var/log\",\n \"/var/log\"\n ],\n \"text\": \"System logs are stored in thedirectory.\\n\\nEnsure thathas its own partition or logical\\nvolume at installation time, or migrate it using LVM.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R12)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"BP28(R47)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-007-3 R6.5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-4\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.10\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/var/log\",\n \"/var/\"\n ],\n \"text\": \"Placingin its own partition\\nenables better separation between log files\\nand other files in.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_var_log:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_var_log_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_partition_for_var_log\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "System logs are stored in thedirectory.\n\nEnsure thathas its own partition or logical\nvolume at installation time, or migrate it using LVM.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366",
+ "CCI-001849"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AU-4",
+ "CM-6 a.",
+ "SC-5 (2)"
+ ],
+ "severity": "low",
+ "description": "Audit logs are stored in thedirectory.\n\nEnsure thathas its own partition or logical\nvolume at installation time, or migrate it using LVM.\nMake absolutely certain that it is large enough to store all\naudit logs that will be created by the auditing daemon.",
+ "group_id": "xccdf_org.ssgproject.content_group_disk_partitioning",
+ "group_title": "Disk Partitioning",
+ "group_description": "To ensure separation and protection of data, there\nare top-level system directories which should be placed on their\nown physical partition or logical volume. The installer's default\npartitioning scheme creates separate logical volumes for,, and.If a system has already been installed, and the default\npartitioning\nscheme was used, it is possible but nontrivial to\nmodify it to create separate logical volumes for the directories\nlisted above. The Logical Volume Manager (LVM) makes this possible.\nSee the LVM HOWTO atfor more detailed information on LVM.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_partition_for_var_log_audit",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_var_log_audit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R43)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI04.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001849",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.312(a)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.17.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-007-3 R6.5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-4",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.DS-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FMT_SMF_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000341-GPOS-00132",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000341-VMM-001220",
+ "href": ""
+ },
+ {
+ "text": "1.1.11",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_partition_for_var_log_audit",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R43)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI04.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001849",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.312(a)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.17.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-007-3 R6.5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-4",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.DS-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FMT_SMF_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000341-GPOS-00132",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000341-VMM-001220"
+ },
+ {
+ "ref": "1.1.11",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure /var/log/audit Located On Separate Partition",
+ "id": "xccdf_org.ssgproject.content_rule_partition_for_var_log_audit",
+ "desc": "Audit logs are stored in thedirectory.\n\nEnsure thathas its own partition or logical\nvolume at installation time, or migrate it using LVM.\nMake absolutely certain that it is large enough to store all\naudit logs that will be created by the auditing daemon.",
+ "descriptions": [
+ {
+ "data": "Placingin its own partition\nenables better separation between audit files\nand other files, and helps ensure that\nauditing cannot be halted due to the partition running out\nof space.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure /var/log/audit Located On Separate Partition\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/var/log/audit\",\n \"/var/log/audit\"\n ],\n \"text\": \"Audit logs are stored in thedirectory.\\n\\nEnsure thathas its own partition or logical\\nvolume at installation time, or migrate it using LVM.\\nMake absolutely certain that it is large enough to store all\\naudit logs that will be created by the auditing daemon.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R43)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI04.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001849\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.312(a)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.17.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-007-3 R6.5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-4\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.DS-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FMT_SMF_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000341-GPOS-00132\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000341-VMM-001220\",\n \"href\": \"\"\n },\n {\n \"text\": \"1.1.11\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": \"/var/log/audit\",\n \"text\": \"Placingin its own partition\\nenables better separation between audit files\\nand other files, and helps ensure that\\nauditing cannot be halted due to the partition running out\\nof space.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_var_log_audit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_partition_for_var_log_audit\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Audit logs are stored in thedirectory.\n\nEnsure thathas its own partition or logical\nvolume at installation time, or migrate it using LVM.\nMake absolutely certain that it is large enough to store all\naudit logs that will be created by the auditing daemon.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Thedirectory is a world-writable directory used\nfor temporary file storage. Ensure it has its own partition or\nlogical volume at installation time, or migrate it using LVM.",
+ "group_id": "xccdf_org.ssgproject.content_group_disk_partitioning",
+ "group_title": "Disk Partitioning",
+ "group_description": "To ensure separation and protection of data, there\nare top-level system directories which should be placed on their\nown physical partition or logical volume. The installer's default\npartitioning scheme creates separate logical volumes for,, and.If a system has already been installed, and the default\npartitioning\nscheme was used, it is possible but nontrivial to\nmodify it to create separate logical volumes for the directories\nlisted above. The Logical Volume Manager (LVM) makes this possible.\nSee the LVM HOWTO atfor more detailed information on LVM.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_partition_for_var_tmp",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_var_tmp:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_var_tmp_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R12)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.6",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_partition_for_var_tmp",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R12)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.6",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure /var/tmp Located On Separate Partition",
+ "id": "xccdf_org.ssgproject.content_rule_partition_for_var_tmp",
+ "desc": "Thedirectory is a world-writable directory used\nfor temporary file storage. Ensure it has its own partition or\nlogical volume at installation time, or migrate it using LVM.",
+ "descriptions": [
+ {
+ "data": "Thepartition is used as temporary storage by many programs.\nPlacingin its own partition enables the setting of more\nrestrictive mount options, which can help protect programs which use it.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure /var/tmp Located On Separate Partition\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/var/tmp\",\n \"text\": \"Thedirectory is a world-writable directory used\\nfor temporary file storage. Ensure it has its own partition or\\nlogical volume at installation time, or migrate it using LVM.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R12)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.6\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/var/tmp\",\n \"/var/tmp\"\n ],\n \"text\": \"Thepartition is used as temporary storage by many programs.\\nPlacingin its own partition enables the setting of more\\nrestrictive mount options, which can help protect programs which use it.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-partition_for_var_tmp:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-partition_for_var_tmp_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_partition_for_var_tmp\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Thedirectory is a world-writable directory used\nfor temporary file storage. Ensure it has its own partition or\nlogical volume at installation time, or migrate it using LVM.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "high",
+ "description": "XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g..\n\nTo disable XDMCP support in Gnome, settounder theconfiguration section in. For example:",
+ "group_id": "xccdf_org.ssgproject.content_group_gnome_login_screen",
+ "group_title": "Configure GNOME Login Screen",
+ "group_description": "In the default GNOME desktop, the login is displayed after system boot\nand can display user accounts, allow users to reboot the system, and allow users to\nlogin automatically and/or with a guest account. The login screen should be configured\nto prevent such behavior.For more information about enforcing preferences in the GNOME3 environment using the DConf\nconfiguration system, seeand the man page.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-gnome_gdm_disable_xdmcp:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-gnome_gdm_disable_xdmcp_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "gnome_gdm_disable_xdmcp",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable XDMCP in GDM",
+ "id": "xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp",
+ "desc": "XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g..\n\nTo disable XDMCP support in Gnome, settounder theconfiguration section in. For example:",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'gdm3' 2>/dev/null | grep -q installed; then\n\n# Try find '[xdmcp]' and 'Enable' in '/etc/gdm3/custom.conf', if it exists, set\n# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there\nif grep -qzosP '[[:space:]]*\\[xdmcp]([^\\n\\[]*\\n+)+?[[:space:]]*Enable' '/etc/gdm3/custom.conf'; then\n \n sed -i \"s/Enable[^(\\n)]*/Enable=false/\" '/etc/gdm3/custom.conf'\nelif grep -qs '[[:space:]]*\\[xdmcp]' '/etc/gdm3/custom.conf'; then\n sed -i \"/[[:space:]]*\\[xdmcp]/a Enable=false\" '/etc/gdm3/custom.conf'\nelse\n if test -d \"/etc/gdm3\"; then\n printf '%s\\n' '[xdmcp]' \"Enable=false\" >> '/etc/gdm3/custom.conf'\n else\n echo \"Config file directory '/etc/gdm3' doesnt exist, not remediating, assuming non-applicability.\" >&2\n fi\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "XDMCP provides unencrypted remote access through the Gnome Display Manager (GDM) which does\nnot provide for the confidentiality and integrity of user passwords or the\nremote session. If a privileged user were to login using XDMCP, the\nprivileged user password could be compromised due to typed XEvents\nand keystrokes will traversing over the network in clear text.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Disable XDMCP in GDM\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"a\": {\n \"text\": \"XDMCP Gnome docs\",\n \"href\": \"https://help.gnome.org/admin/gdm/stable/security.html.en_GB#xdmcpsecurity\"\n },\n \"code\": [\n \"Enable\",\n \"false\",\n \"[xdmcp]\",\n \"/etc/gdm/custom.conf\"\n ],\n \"pre\": \"[xdmcp]\\nEnable=false\",\n \"text\": \"XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g..\\n\\nTo disable XDMCP support in Gnome, settounder theconfiguration section in. For example:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"XDMCP provides unencrypted remote access through the Gnome Display Manager (GDM) which does\\nnot provide for the confidentiality and integrity of user passwords or the\\nremote session. If a privileged user were to login using XDMCP, the\\nprivileged user password could be compromised due to typed XEvents\\nand keystrokes will traversing over the network in clear text.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'gdm3' 2>/dev/null | grep -q installed; then\\n\\n# Try find '[xdmcp]' and 'Enable' in '/etc/gdm3/custom.conf', if it exists, set\\n# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there\\nif grep -qzosP '[[:space:]]*\\\\[xdmcp]([^\\\\n\\\\[]*\\\\n+)+?[[:space:]]*Enable' '/etc/gdm3/custom.conf'; then\\n \\n sed -i \\\"s/Enable[^(\\\\n)]*/Enable=false/\\\" '/etc/gdm3/custom.conf'\\nelif grep -qs '[[:space:]]*\\\\[xdmcp]' '/etc/gdm3/custom.conf'; then\\n sed -i \\\"/[[:space:]]*\\\\[xdmcp]/a Enable=false\\\" '/etc/gdm3/custom.conf'\\nelse\\n if test -d \\\"/etc/gdm3\\\"; then\\n printf '%s\\\\n' '[xdmcp]' \\\"Enable=false\\\" >> '/etc/gdm3/custom.conf'\\n else\\n echo \\\"Config file directory '/etc/gdm3' doesnt exist, not remediating, assuming non-applicability.\\\" >&2\\n fi\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"gnome_gdm_disable_xdmcp\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-gnome_gdm_disable_xdmcp:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-gnome_gdm_disable_xdmcp_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g..\n\nTo disable XDMCP support in Gnome, settounder theconfiguration section in. For example:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "high",
+ "description": "The sudotag, when specified, prevents user executed\ncommands from executing other commands, like a shell for example.\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\nin.",
+ "group_id": "xccdf_org.ssgproject.content_group_sudo",
+ "group_title": "Sudo",
+ "group_description": ", which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system\nusers and/or groups,can allow a user or group to execute privileged commands\nthat normally onlyis allowed to execute.For more information onand additionconfiguration options, see.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sudo_add_noexec",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_add_noexec:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_add_noexec_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "BP28(R58)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sudo_add_noexec",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/",
+ "ref": [
+ {
+ "text": "BP28(R58)"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC",
+ "id": "xccdf_org.ssgproject.content_rule_sudo_add_noexec",
+ "desc": "The sudotag, when specified, prevents user executed\ncommands from executing other commands, like a shell for example.\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\nin.",
+ "descriptions": [
+ {
+ "data": "Restricting the capability of sudo allowed commands to execute sub-commands\nprevents users from running programs with privileges they wouldn't have otherwise.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"NOEXEC\",\n \"NOEXEC\",\n \"/etc/sudoers\",\n \"/etc/sudoers.d/\"\n ],\n \"text\": \"The sudotag, when specified, prevents user executed\\ncommands from executing other commands, like a shell for example.\\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\\nin.\",\n \"lang\": \"en-US\"\n },\n \"reference\": {\n \"text\": \"BP28(R58)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n \"rationale\": {\n \"text\": \"Restricting the capability of sudo allowed commands to execute sub-commands\\nprevents users from running programs with privileges they wouldn't have otherwise.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"if /usr/sbin/visudo -qcf /etc/sudoers; then\\n cp /etc/sudoers /etc/sudoers.bak\\n if ! grep -P '^[\\\\s]*Defaults[\\\\s]*\\\\bnoexec\\\\b.*$' /etc/sudoers; then\\n # sudoers file doesn't define Option noexec\\n echo \\\"Defaults noexec\\\" >> /etc/sudoers\\n fi\\n \\n # Check validity of sudoers and cleanup bak\\n if /usr/sbin/visudo -qcf /etc/sudoers; then\\n rm -f /etc/sudoers.bak\\n else\\n echo \\\"Fail to validate remediated /etc/sudoers, reverting to original file.\\\"\\n mv /etc/sudoers.bak /etc/sudoers\\n false\\n fi\\nelse\\n echo \\\"Skipping remediation, /etc/sudoers failed to validate\\\"\\n false\\nfi\",\n \"id\": \"sudo_add_noexec\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Ensure noexec is enabled in /etc/sudoers\\n lineinfile:\\n path: /etc/sudoers\\n regexp: ^[\\\\s]*Defaults.*\\\\bnoexec\\\\b.*$\\n line: Defaults noexec\\n validate: /usr/sbin/visudo -cf %s\\n tags:\\n - high_severity\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - restrict_strategy\\n - sudo_add_noexec\",\n \"id\": \"sudo_add_noexec\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_add_noexec:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_add_noexec_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sudo_add_noexec\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The sudotag, when specified, prevents user executed\ncommands from executing other commands, like a shell for example.\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\nin.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "The sudotag, when specified, will only execute sudo\ncommands from users logged in to a real tty.\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\nin.",
+ "group_id": "xccdf_org.ssgproject.content_group_sudo",
+ "group_title": "Sudo",
+ "group_description": ", which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system\nusers and/or groups,can allow a user or group to execute privileged commands\nthat normally onlyis allowed to execute.For more information onand additionconfiguration options, see.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sudo_add_requiretty",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_add_requiretty:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "BP28(R58)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sudo_add_requiretty",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/",
+ "ref": [
+ {
+ "text": "BP28(R58)"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty",
+ "id": "xccdf_org.ssgproject.content_rule_sudo_add_requiretty",
+ "desc": "The sudotag, when specified, will only execute sudo\ncommands from users logged in to a real tty.\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\nin.",
+ "descriptions": [
+ {
+ "data": "Restricting the use cases in which a user is allowed to execute sudo commands\nreduces the attack surface.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"requiretty\",\n \"requiretty\",\n \"/etc/sudoers\",\n \"/etc/sudoers.d/\"\n ],\n \"text\": \"The sudotag, when specified, will only execute sudo\\ncommands from users logged in to a real tty.\\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\\nin.\",\n \"lang\": \"en-US\"\n },\n \"reference\": {\n \"text\": \"BP28(R58)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n \"rationale\": {\n \"text\": \"Restricting the use cases in which a user is allowed to execute sudo commands\\nreduces the attack surface.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"if /usr/sbin/visudo -qcf /etc/sudoers; then\\n cp /etc/sudoers /etc/sudoers.bak\\n if ! grep -P '^[\\\\s]*Defaults[\\\\s]*\\\\brequiretty\\\\b.*$' /etc/sudoers; then\\n # sudoers file doesn't define Option requiretty\\n echo \\\"Defaults requiretty\\\" >> /etc/sudoers\\n fi\\n \\n # Check validity of sudoers and cleanup bak\\n if /usr/sbin/visudo -qcf /etc/sudoers; then\\n rm -f /etc/sudoers.bak\\n else\\n echo \\\"Fail to validate remediated /etc/sudoers, reverting to original file.\\\"\\n mv /etc/sudoers.bak /etc/sudoers\\n false\\n fi\\nelse\\n echo \\\"Skipping remediation, /etc/sudoers failed to validate\\\"\\n false\\nfi\",\n \"id\": \"sudo_add_requiretty\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Ensure requiretty is enabled in /etc/sudoers\\n lineinfile:\\n path: /etc/sudoers\\n regexp: ^[\\\\s]*Defaults.*\\\\brequiretty\\\\b.*$\\n line: Defaults requiretty\\n validate: /usr/sbin/visudo -cf %s\\n tags:\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sudo_add_requiretty\",\n \"id\": \"sudo_add_requiretty\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_add_requiretty:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sudo_add_requiretty\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The sudotag, when specified, will only execute sudo\ncommands from users logged in to a real tty.\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\nin.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "The sudotag, when specified, will only execute sudo\ncommands from users logged in to a real tty.\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\nin.",
+ "group_id": "xccdf_org.ssgproject.content_group_sudo",
+ "group_title": "Sudo",
+ "group_description": ", which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system\nusers and/or groups,can allow a user or group to execute privileged commands\nthat normally onlyis allowed to execute.For more information onand additionconfiguration options, see.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sudo_add_use_pty",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_add_use_pty:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_add_use_pty_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R58)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "Req-10.2.1.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sudo_add_use_pty",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R58)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "Req-10.2.1.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty",
+ "id": "xccdf_org.ssgproject.content_rule_sudo_add_use_pty",
+ "desc": "The sudotag, when specified, will only execute sudo\ncommands from users logged in to a real tty.\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\nin.",
+ "descriptions": [
+ {
+ "data": "Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining\naccess to the user's terminal after the main program has finished executing.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"use_pty\",\n \"use_pty\",\n \"/etc/sudoers\",\n \"/etc/sudoers.d/\"\n ],\n \"text\": \"The sudotag, when specified, will only execute sudo\\ncommands from users logged in to a real tty.\\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\\nin.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R58)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"Req-10.2.1.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining\\naccess to the user's terminal after the main program has finished executing.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"if /usr/sbin/visudo -qcf /etc/sudoers; then\\n cp /etc/sudoers /etc/sudoers.bak\\n if ! grep -P '^[\\\\s]*Defaults[\\\\s]*\\\\buse_pty\\\\b.*$' /etc/sudoers; then\\n # sudoers file doesn't define Option use_pty\\n echo \\\"Defaults use_pty\\\" >> /etc/sudoers\\n fi\\n \\n # Check validity of sudoers and cleanup bak\\n if /usr/sbin/visudo -qcf /etc/sudoers; then\\n rm -f /etc/sudoers.bak\\n else\\n echo \\\"Fail to validate remediated /etc/sudoers, reverting to original file.\\\"\\n mv /etc/sudoers.bak /etc/sudoers\\n false\\n fi\\nelse\\n echo \\\"Skipping remediation, /etc/sudoers failed to validate\\\"\\n false\\nfi\",\n \"id\": \"sudo_add_use_pty\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Ensure use_pty is enabled in /etc/sudoers\\n lineinfile:\\n path: /etc/sudoers\\n regexp: ^[\\\\s]*Defaults.*\\\\buse_pty\\\\b.*$\\n line: Defaults use_pty\\n validate: /usr/sbin/visudo -cf %s\\n tags:\\n - PCI-DSS-Req-10.2.1.5\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sudo_add_use_pty\",\n \"id\": \"sudo_add_use_pty\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_add_use_pty:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_add_use_pty_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sudo_add_use_pty\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The sudotag, when specified, will only execute sudo\ncommands from users logged in to a real tty.\nThis should be enabled by making sure that thetag exists inconfiguration file or any sudo configuration snippets\nin.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "A custom log sudo file can be configured with the 'logfile' tag. This rule configures\na sudo custom logfile at the default location suggested by CIS, which uses\n/var/log/sudo.log.",
+ "group_id": "xccdf_org.ssgproject.content_group_sudo",
+ "group_title": "Sudo",
+ "group_description": ", which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system\nusers and/or groups,can allow a user or group to execute privileged commands\nthat normally onlyis allowed to execute.For more information onand additionconfiguration options, see.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sudo_custom_logfile",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_sudo_logfile:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sudo_logfile\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_custom_logfile:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_custom_logfile_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "Req-10.2.1.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sudo_custom_logfile",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Sudo - logfile value",
+ "lang": "en-US"
+ },
+ "description": "Specify the sudo logfile to use. The default value used here matches the example\nlocation from CIS, which uses /var/log/sudo.log.",
+ "value": [
+ "/var/log/sudo.log",
+ {
+ "text": "/var/log/sudo.log",
+ "selector": "var_log_sudo_log"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_sudo_logfile",
+ "type": "string",
+ "interactive": "true"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "ref": [
+ {
+ "text": "Req-10.2.1.5"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Sudo Logfile Exists - sudo logfile",
+ "id": "xccdf_org.ssgproject.content_rule_sudo_custom_logfile",
+ "desc": "A custom log sudo file can be configured with the 'logfile' tag. This rule configures\na sudo custom logfile at the default location suggested by CIS, which uses\n/var/log/sudo.log.",
+ "descriptions": [
+ {
+ "data": "A sudo log file simplifies auditing of sudo commands.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Sudo Logfile Exists - sudo logfile\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"A custom log sudo file can be configured with the 'logfile' tag. This rule configures\\na sudo custom logfile at the default location suggested by CIS, which uses\\n/var/log/sudo.log.\",\n \"lang\": \"en-US\"\n },\n \"reference\": {\n \"text\": \"Req-10.2.1.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n \"rationale\": {\n \"text\": \"A sudo log file simplifies auditing of sudo commands.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sudo_logfile\",\n \"use\": \"legacy\"\n },\n \"text\": \"var_sudo_logfile=''\\n\\n\\nif /usr/sbin/visudo -qcf /etc/sudoers; then\\n cp /etc/sudoers /etc/sudoers.bak\\n if ! grep -P '^[\\\\s]*Defaults[\\\\s]*\\\\blogfile=(\\\"(?:\\\\\\\\\\\"|\\\\\\\\\\\\\\\\|[^\\\"\\\\\\\\\\\\n])*\\\"\\\\B|[^\\\"](?:(?:\\\\\\\\,|\\\\\\\\\\\"|\\\\\\\\ |\\\\\\\\\\\\\\\\|[^\\\", \\\\\\\\\\\\n])*)\\\\b)\\\\b.*$' /etc/sudoers; then\\n # sudoers file doesn't define Option logfile\\n echo \\\"Defaults logfile=${var_sudo_logfile}\\\" >> /etc/sudoers\\n else\\n # sudoers file defines Option logfile, remediate if appropriate value is not set\\n if ! grep -P \\\"^[\\\\s]*Defaults.*\\\\blogfile=${var_sudo_logfile}\\\\b.*$\\\" /etc/sudoers; then\\n \\n escaped_variable=${var_sudo_logfile//$'/'/$'\\\\/'}\\n sed -Ei \\\"s/(^[\\\\s]*Defaults.*\\\\blogfile=)[-]?.+(\\\\b.*$)/\\\\1$escaped_variable\\\\2/\\\" /etc/sudoers\\n fi\\n fi\\n \\n # Check validity of sudoers and cleanup bak\\n if /usr/sbin/visudo -qcf /etc/sudoers; then\\n rm -f /etc/sudoers.bak\\n else\\n echo \\\"Fail to validate remediated /etc/sudoers, reverting to original file.\\\"\\n mv /etc/sudoers.bak /etc/sudoers\\n false\\n fi\\nelse\\n echo \\\"Skipping remediation, /etc/sudoers failed to validate\\\"\\n false\\nfi\",\n \"id\": \"sudo_custom_logfile\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sudo_logfile\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: XCCDF Value var_sudo_logfile # promote to variable\\n set_fact:\\n var_sudo_logfile: !!strtags:\\n - always\\n\\n- name: Ensure logfile is enabled with the appropriate value in /etc/sudoers\\n lineinfile:\\n path: /etc/sudoers\\n regexp: ^[\\\\s]*Defaults\\\\s(.*)\\\\blogfile=[-]?.+\\\\b(.*)$\\n line: Defaults \\\\1logfile={{ var_sudo_logfile }}\\\\2\\n validate: /usr/sbin/visudo -cf %s\\n backrefs: true\\n register: edit_sudoers_logfile_option\\n tags:\\n - PCI-DSS-Req-10.2.1.5\\n - low_complexity\\n - low_disruption\\n - low_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sudo_custom_logfile\\n\\n- name: Enable logfile option with appropriate value in /etc/sudoers\\n lineinfile:\\n path: /etc/sudoers\\n line: Defaults logfile={{ var_sudo_logfile }}\\n validate: /usr/sbin/visudo -cf %s\\n when: edit_sudoers_logfile_option is defined and not edit_sudoers_logfile_option.changed\\n tags:\\n - PCI-DSS-Req-10.2.1.5\\n - low_complexity\\n - low_disruption\\n - low_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sudo_custom_logfile\",\n \"id\": \"sudo_custom_logfile\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_sudo_logfile:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sudo_logfile\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_custom_logfile:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_custom_logfile_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sudo_custom_logfile\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "A custom log sudo file can be configured with the 'logfile' tag. This rule configures\na sudo custom logfile at the default location suggested by CIS, which uses\n/var/log/sudo.log.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002038"
+ ],
+ "nist": [
+ "IA-11",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "The sudooption, when specified, allows a user to execute commands using\nsudo without having to authenticate. This should be disabled by making sure that theoption does not exist inconfiguration file or\nany sudo configuration snippets in.",
+ "group_id": "xccdf_org.ssgproject.content_group_sudo",
+ "group_title": "Sudo",
+ "group_description": ", which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system\nusers and/or groups,can allow a user or group to execute privileged commands\nthat normally onlyis allowed to execute.For more information onand additionconfiguration options, see.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_remove_no_authenticate:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R5)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "BP28(R59)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-002038",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "IA-11",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000373-GPOS-00156",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000373-GPOS-00157",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000373-GPOS-00158",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000373-VMM-001470",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000373-VMM-001480",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000373-VMM-001490",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R5)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "BP28(R59)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-002038",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "IA-11",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000373-GPOS-00156",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000373-GPOS-00157",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000373-GPOS-00158",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000373-VMM-001470"
+ },
+ {
+ "ref": "SRG-OS-000373-VMM-001480"
+ },
+ {
+ "ref": "SRG-OS-000373-VMM-001490"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate",
+ "id": "xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate",
+ "desc": "The sudooption, when specified, allows a user to execute commands using\nsudo without having to authenticate. This should be disabled by making sure that theoption does not exist inconfiguration file or\nany sudo configuration snippets in.",
+ "descriptions": [
+ {
+ "data": "Without re-authentication, users may access resources or perform tasks for which they\ndo not have authorization.When operating systems provide the capability to escalate a functional capability, it\nis critical that the user re-authenticate.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"!authenticate\",\n \"!authenticate\",\n \"/etc/sudoers\",\n \"/etc/sudoers.d/\"\n ],\n \"text\": \"The sudooption, when specified, allows a user to execute commands using\\nsudo without having to authenticate. This should be disabled by making sure that theoption does not exist inconfiguration file or\\nany sudo configuration snippets in.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R5)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"BP28(R59)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-002038\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"IA-11\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000373-GPOS-00156\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000373-GPOS-00157\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000373-GPOS-00158\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000373-VMM-001470\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000373-VMM-001480\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000373-VMM-001490\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"text\": \"Without re-authentication, users may access resources or perform tasks for which they\\ndo not have authorization.When operating systems provide the capability to escalate a functional capability, it\\nis critical that the user re-authenticate.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"for f in /etc/sudoers /etc/sudoers.d/* ; do\\n if [ ! -e \\\"$f\\\" ] ; then\\n continue\\n fi\\n matching_list=$(grep -P '^(?!#).*[\\\\s]+\\\\!authenticate.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n # comment out \\\"!authenticate\\\" matches to preserve user data\\n sed -i \\\"s/^${entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n\\n /usr/sbin/visudo -cf $f &> /dev/null || echo \\\"Fail to validate $f with visudo\\\"\\n fi\\ndone\",\n \"id\": \"sudo_remove_no_authenticate\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Find /etc/sudoers.d/ files\\n find:\\n paths:\\n - /etc/sudoers.d/\\n register: sudoers\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-IA-11\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sudo_remove_no_authenticate\\n\\n- name: Remove lines containing !authenticate from sudoers files\\n replace:\\n regexp: (^(?!#).*[\\\\s]+\\\\!authenticate.*$)\\n replace: '# \\\\g<1>'\\n path: '{{ item.path }}'\\n validate: /usr/sbin/visudo -cf %s\\n with_items:\\n - path: /etc/sudoers\\n - '{{ sudoers.files }}'\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-IA-11\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sudo_remove_no_authenticate\",\n \"id\": \"sudo_remove_no_authenticate\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_remove_no_authenticate:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The sudooption, when specified, allows a user to execute commands using\nsudo without having to authenticate. This should be disabled by making sure that theoption does not exist inconfiguration file or\nany sudo configuration snippets in.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002038"
+ ],
+ "nist": [
+ "IA-11",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "The sudotag, when specified, allows a user to execute\ncommands using sudo without having to authenticate. This should be disabled\nby making sure that thetag does not exist inconfiguration file or any sudo configuration snippets\nin.",
+ "group_id": "xccdf_org.ssgproject.content_group_sudo",
+ "group_title": "Sudo",
+ "group_description": ", which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system\nusers and/or groups,can allow a user or group to execute privileged commands\nthat normally onlyis allowed to execute.For more information onand additionconfiguration options, see.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_remove_nopasswd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R5)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "BP28(R59)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-002038",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "IA-11",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000373-GPOS-00156",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000373-GPOS-00157",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000373-GPOS-00158",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000373-VMM-001470",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000373-VMM-001480",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000373-VMM-001490",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R5)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "BP28(R59)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-002038",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "IA-11",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000373-GPOS-00156",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000373-GPOS-00157",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000373-GPOS-00158",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000373-VMM-001470"
+ },
+ {
+ "ref": "SRG-OS-000373-VMM-001480"
+ },
+ {
+ "ref": "SRG-OS-000373-VMM-001490"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD",
+ "id": "xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd",
+ "desc": "The sudotag, when specified, allows a user to execute\ncommands using sudo without having to authenticate. This should be disabled\nby making sure that thetag does not exist inconfiguration file or any sudo configuration snippets\nin.",
+ "descriptions": [
+ {
+ "data": "Without re-authentication, users may access resources or perform tasks for which they\ndo not have authorization.When operating systems provide the capability to escalate a functional capability, it\nis critical that the user re-authenticate.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"NOPASSWD\",\n \"NOPASSWD\",\n \"/etc/sudoers\",\n \"/etc/sudoers.d/\"\n ],\n \"text\": \"The sudotag, when specified, allows a user to execute\\ncommands using sudo without having to authenticate. This should be disabled\\nby making sure that thetag does not exist inconfiguration file or any sudo configuration snippets\\nin.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R5)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"BP28(R59)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-002038\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"IA-11\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000373-GPOS-00156\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000373-GPOS-00157\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000373-GPOS-00158\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000373-VMM-001470\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000373-VMM-001480\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000373-VMM-001490\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"text\": \"Without re-authentication, users may access resources or perform tasks for which they\\ndo not have authorization.When operating systems provide the capability to escalate a functional capability, it\\nis critical that the user re-authenticate.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"for f in /etc/sudoers /etc/sudoers.d/* ; do\\n if [ ! -e \\\"$f\\\" ] ; then\\n continue\\n fi\\n matching_list=$(grep -P '^(?!#).*[\\\\s]+NOPASSWD[\\\\s]*\\\\:.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n # comment out \\\"NOPASSWD\\\" matches to preserve user data\\n sed -i \\\"s/^${entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n\\n /usr/sbin/visudo -cf $f &> /dev/null || echo \\\"Fail to validate $f with visudo\\\"\\n fi\\ndone\",\n \"id\": \"sudo_remove_nopasswd\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Find /etc/sudoers.d/ files\\n find:\\n paths:\\n - /etc/sudoers.d/\\n register: sudoers\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-IA-11\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sudo_remove_nopasswd\\n\\n- name: Remove lines containing NOPASSWD from sudoers files\\n replace:\\n regexp: (^(?!#).*[\\\\s]+NOPASSWD[\\\\s]*\\\\:.*$)\\n replace: '# \\\\g<1>'\\n path: '{{ item.path }}'\\n validate: /usr/sbin/visudo -cf %s\\n with_items:\\n - path: /etc/sudoers\\n - '{{ sudoers.files }}'\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-IA-11\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sudo_remove_nopasswd\",\n \"id\": \"sudo_remove_nopasswd\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_remove_nopasswd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The sudotag, when specified, allows a user to execute\ncommands using sudo without having to authenticate. This should be disabled\nby making sure that thetag does not exist inconfiguration file or any sudo configuration snippets\nin.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002038"
+ ],
+ "nist": [
+ "IA-11",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "The sudoandoption, when\nspecified, allows a user to execute commands using sudo without having to\nauthenticate. This should be disabled by making sure thatand/ordo not exist inconfiguration file or any sudo configuration snippets\nin.\"",
+ "group_id": "xccdf_org.ssgproject.content_group_sudo",
+ "group_title": "Sudo",
+ "group_description": ", which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system\nusers and/or groups,can allow a user or group to execute privileged commands\nthat normally onlyis allowed to execute.For more information onand additionconfiguration options, see.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sudo_require_authentication",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_require_authentication:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_require_authentication_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-002038",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "IA-11",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000373-GPOS-00156",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sudo_require_authentication",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-002038",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "IA-11",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000373-GPOS-00156",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Users Re-Authenticate for Privilege Escalation - sudo",
+ "id": "xccdf_org.ssgproject.content_rule_sudo_require_authentication",
+ "desc": "The sudoandoption, when\nspecified, allows a user to execute commands using sudo without having to\nauthenticate. This should be disabled by making sure thatand/ordo not exist inconfiguration file or any sudo configuration snippets\nin.\"",
+ "descriptions": [
+ {
+ "data": "Without re-authentication, users may access resources or perform tasks for which they\ndo not have authorization.When operating systems provide the capability to escalate a functional capability, it\nis critical that the user re-authenticate.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Users Re-Authenticate for Privilege Escalation - sudo\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"NOPASSWD\",\n \"!authenticate\",\n \"NOPASSWD\",\n \"!authenticate\",\n \"/etc/sudoers\",\n \"/etc/sudoers.d/\"\n ],\n \"text\": \"The sudoandoption, when\\nspecified, allows a user to execute commands using sudo without having to\\nauthenticate. This should be disabled by making sure thatand/ordo not exist inconfiguration file or any sudo configuration snippets\\nin.\\\"\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-002038\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"IA-11\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000373-GPOS-00156\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"text\": \"Without re-authentication, users may access resources or perform tasks for which they\\ndo not have authorization.When operating systems provide the capability to escalate a functional capability, it\\nis critical that the user re-authenticate.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"for f in /etc/sudoers /etc/sudoers.d/* ; do\\n if [ ! -e \\\"$f\\\" ] ; then\\n continue\\n fi\\n matching_list=$(grep -P '^(?!#).*[\\\\s]+NOPASSWD[\\\\s]*\\\\:.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n # comment out \\\"NOPASSWD\\\" matches to preserve user data\\n sed -i \\\"s/^${entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n\\n /usr/sbin/visudo -cf $f &> /dev/null || echo \\\"Fail to validate $f with visudo\\\"\\n fi\\ndone\\n\\nfor f in /etc/sudoers /etc/sudoers.d/* ; do\\n if [ ! -e \\\"$f\\\" ] ; then\\n continue\\n fi\\n matching_list=$(grep -P '^(?!#).*[\\\\s]+\\\\!authenticate.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n # comment out \\\"!authenticate\\\" matches to preserve user data\\n sed -i \\\"s/^${entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n\\n /usr/sbin/visudo -cf $f &> /dev/null || echo \\\"Fail to validate $f with visudo\\\"\\n fi\\ndone\",\n \"id\": \"sudo_require_authentication\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Find /etc/sudoers.d/ files\\n find:\\n paths:\\n - /etc/sudoers.d/\\n register: sudoers\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-IA-11\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sudo_require_authentication\\n\\n- name: Remove lines containing NOPASSWD from sudoers files\\n replace:\\n regexp: (^(?!#).*[\\\\s]+NOPASSWD[\\\\s]*\\\\:.*$)\\n replace: '# \\\\g<1>'\\n path: '{{ item.path }}'\\n validate: /usr/sbin/visudo -cf %s\\n with_items:\\n - path: /etc/sudoers\\n - '{{ sudoers.files }}'\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-IA-11\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sudo_require_authentication\\n\\n- name: Find /etc/sudoers.d/ files\\n find:\\n paths:\\n - /etc/sudoers.d/\\n register: sudoers\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-IA-11\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sudo_require_authentication\\n\\n- name: Remove lines containing !authenticate from sudoers files\\n replace:\\n regexp: (^(?!#).*[\\\\s]+\\\\!authenticate.*$)\\n replace: '# \\\\g<1>'\\n path: '{{ item.path }}'\\n validate: /usr/sbin/visudo -cf %s\\n with_items:\\n - path: /etc/sudoers\\n - '{{ sudoers.files }}'\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-IA-11\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sudo_require_authentication\",\n \"id\": \"sudo_require_authentication\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_require_authentication:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_require_authentication_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sudo_require_authentication\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The sudoandoption, when\nspecified, allows a user to execute commands using sudo without having to\nauthenticate. This should be disabled by making sure thatand/ordo not exist inconfiguration file or any sudo configuration snippets\nin.\"",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "The sudotag, when specified, allows a user to execute commands using sudo without having to authenticate. Only theuser should have this capability in any sudo configuration snippets in.",
+ "group_id": "xccdf_org.ssgproject.content_group_sudo",
+ "group_title": "Sudo",
+ "group_description": ", which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system\nusers and/or groups,can allow a user or group to execute privileged commands\nthat normally onlyis allowed to execute.For more information onand additionconfiguration options, see.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sudo_vdsm_nopasswd",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_vdsm_nopasswd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sudo_vdsm_nopasswd",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Only the VDSM User Can Use sudo NOPASSWD",
+ "id": "xccdf_org.ssgproject.content_rule_sudo_vdsm_nopasswd",
+ "desc": "The sudotag, when specified, allows a user to execute commands using sudo without having to authenticate. Only theuser should have this capability in any sudo configuration snippets in.",
+ "descriptions": [
+ {
+ "data": "Without re-authentication, users may access resources or perform tasks for which they\ndo not have authorization.When operating systems provide the capability to escalate a functional capability, it\nis critical that the user re-authenticate.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Only the VDSM User Can Use sudo NOPASSWD\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"NOPASSWD\",\n \"vdsm\",\n \"/etc/sudoers.d/\"\n ],\n \"text\": \"The sudotag, when specified, allows a user to execute commands using sudo without having to authenticate. Only theuser should have this capability in any sudo configuration snippets in.\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"text\": \"Without re-authentication, users may access resources or perform tasks for which they\\ndo not have authorization.When operating systems provide the capability to escalate a functional capability, it\\nis critical that the user re-authenticate.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudo_vdsm_nopasswd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sudo_vdsm_nopasswd\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The sudotag, when specified, allows a user to execute commands using sudo without having to authenticate. Only theuser should have this capability in any sudo configuration snippets in.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.\nIf the command is supposed to be executed only without arguments, pass \"\" as an argument in the corresponding user specification.",
+ "group_id": "xccdf_org.ssgproject.content_group_sudo",
+ "group_title": "Sudo",
+ "group_description": ", which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system\nusers and/or groups,can allow a user or group to execute privileged commands\nthat normally onlyis allowed to execute.For more information onand additionconfiguration options, see.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudoers_explicit_command_args:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudoers_explicit_command_args_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "BP28(R63)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/",
+ "ref": [
+ {
+ "text": "BP28(R63)"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Explicit arguments in sudo specifications",
+ "id": "xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args",
+ "desc": "All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.\nIf the command is supposed to be executed only without arguments, pass \"\" as an argument in the corresponding user specification.",
+ "descriptions": [
+ {
+ "data": "Any argument can modify quite significantly the behavior of a program, whether regarding the\nrealized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To\navoid any possibility of misuse of a command by a user, the ambiguities must be removed at the\nlevel of its specification.\n\nFor example, on some systems, the kernel messages are only accessible by root.\nIf a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted\nin order to prevent the user from flushing the buffer through the -c option:",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Explicit arguments in sudo specifications\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.\\nIf the command is supposed to be executed only without arguments, pass \\\"\\\" as an argument in the corresponding user specification.\",\n \"lang\": \"en-US\"\n },\n \"warning\": [\n {\n \"text\": \"This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n {\n \"code\": [\n \"root ALL=(ALL) echo 1\\\\,2\",\n \"echo 1,2\",\n \"echo 1\\\\\",\n \"2\"\n ],\n \"text\": \"The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that. For example,allows root to execute, but the check would interpret it as two commandsand.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n }\n ],\n \"reference\": {\n \"text\": \"BP28(R63)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n \"rationale\": {\n \"pre\": \"user ALL = dmesg \\\"\\\"\",\n \"text\": \"Any argument can modify quite significantly the behavior of a program, whether regarding the\\nrealized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To\\navoid any possibility of misuse of a command by a user, the ambiguities must be removed at the\\nlevel of its specification.\\n\\nFor example, on some systems, the kernel messages are only accessible by root.\\nIf a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted\\nin order to prevent the user from flushing the buffer through the -c option:\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#package_sudo\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudoers_explicit_command_args:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudoers_explicit_command_args_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.\nIf the command is supposed to be executed only without arguments, pass \"\" as an argument in the corresponding user specification.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Policies applied by sudo through the sudoers file should not involve negation.\n\nEach user specification in thefile contains a comma-delimited list of command specifications.\nThe definition can make use glob patterns, as well as of negations.\nIndirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.",
+ "group_id": "xccdf_org.ssgproject.content_group_sudo",
+ "group_title": "Sudo",
+ "group_description": ", which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system\nusers and/or groups,can allow a user or group to execute privileged commands\nthat normally onlyis allowed to execute.For more information onand additionconfiguration options, see.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sudoers_no_command_negation",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudoers_no_command_negation:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudoers_no_command_negation_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "BP28(R61)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sudoers_no_command_negation",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/",
+ "ref": [
+ {
+ "text": "BP28(R61)"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Don't define allowed commands in sudoers by means of exclusion",
+ "id": "xccdf_org.ssgproject.content_rule_sudoers_no_command_negation",
+ "desc": "Policies applied by sudo through the sudoers file should not involve negation.\n\nEach user specification in thefile contains a comma-delimited list of command specifications.\nThe definition can make use glob patterns, as well as of negations.\nIndirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.",
+ "descriptions": [
+ {
+ "data": "Specifying access right using negation is inefficient and can be easily circumvented.\nFor example, it is expected that a specification likeprevents the execution of the shell\nbut that’s not the case: just copy the binaryto a different name to make it executable\nagain through the rule keyword.",
+ "label": "rationale"
+ },
+ {
+ "data": "This rule doesn't come with a remediation, as negations indicate design issues with the sudoers user specifications design. Just removing negations doesn't increase the security - you typically have to rethink the definition of allowed commands to fix the issue.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Don't define allowed commands in sudoers by means of exclusion\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"sudoers\",\n \"text\": \"Policies applied by sudo through the sudoers file should not involve negation.\\n\\nEach user specification in thefile contains a comma-delimited list of command specifications.\\nThe definition can make use glob patterns, as well as of negations.\\nIndirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"This rule doesn't come with a remediation, as negations indicate design issues with the sudoers user specifications design. Just removing negations doesn't increase the security - you typically have to rethink the definition of allowed commands to fix the issue.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": {\n \"text\": \"BP28(R61)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n \"rationale\": {\n \"pre\": \"# To avoid absolutely , this rule can be easily circumvented!\\nuser ALL = ALL ,!/ bin/sh\",\n \"code\": [\n \"/bin/sh\",\n \"ALL\"\n ],\n \"text\": \"Specifying access right using negation is inefficient and can be easily circumvented.\\nFor example, it is expected that a specification likeprevents the execution of the shell\\nbut that’s not the case: just copy the binaryto a different name to make it executable\\nagain through the rule keyword.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#package_sudo\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudoers_no_command_negation:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudoers_no_command_negation_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sudoers_no_command_negation\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Policies applied by sudo through the sudoers file should not involve negation.\n\nEach user specification in thefile contains a comma-delimited list of command specifications.\nThe definition can make use glob patterns, as well as of negations.\nIndirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root).\n\nUser specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), andorshould not be used.",
+ "group_id": "xccdf_org.ssgproject.content_group_sudo",
+ "group_title": "Sudo",
+ "group_description": ", which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system\nusers and/or groups,can allow a user or group to execute privileged commands\nthat normally onlyis allowed to execute.For more information onand additionconfiguration options, see.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sudoers_no_root_target",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudoers_no_root_target:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudoers_no_root_target_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "BP28(R60)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sudoers_no_root_target",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/",
+ "ref": [
+ {
+ "text": "BP28(R60)"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Don't target root user in the sudoers file",
+ "id": "xccdf_org.ssgproject.content_rule_sudoers_no_root_target",
+ "desc": "The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root).\n\nUser specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), andorshould not be used.",
+ "descriptions": [
+ {
+ "data": "It is common that the command to be executed does not require superuser rights (editing a file\nwhose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit\nany attempt of privilege escalation through a command, it is better to apply normal user rights.",
+ "label": "rationale"
+ },
+ {
+ "data": "This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Don't target root user in the sudoers file\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"ALL\",\n \"root\"\n ],\n \"text\": \"The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root).\\n\\nUser specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), andorshould not be used.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": {\n \"text\": \"BP28(R60)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n \"rationale\": {\n \"text\": \"It is common that the command to be executed does not require superuser rights (editing a file\\nwhose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit\\nany attempt of privilege escalation through a command, it is better to apply normal user rights.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#package_sudo\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sudoers_no_root_target:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sudoers_no_root_target_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sudoers_no_root_target\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root).\n\nUser specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), andorshould not be used.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Thepackage can be installed with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_system-tools",
+ "group_title": "System Tooling / Utilities",
+ "group_description": "The following checks evaluate the system for recommended base packages -- both for installation\nand removal.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_gnutls-utils_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "FIA_X509_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "FIA_X509_EXT.2",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "FIA_X509_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "FIA_X509_EXT.2",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure gnutls-utils is installed",
+ "id": "xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed",
+ "desc": "Thepackage can be installed with the following command:",
+ "descriptions": [
+ {
+ "data": "GnuTLS is a secure communications library implementing the SSL, TLS and DTLS\nprotocols and technologies around them. It provides a simple C language\napplication programming interface (API) to access the secure communications\nprotocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and\nother required structures.\nThis package contains command line TLS client and server and certificate\nmanipulation tools.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure gnutls-utils is installed\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"gnutls-utils\",\n \"pre\": \"$ apt-get install gnutls-utils\",\n \"text\": \"Thepackage can be installed with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"FIA_X509_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"FIA_X509_EXT.2\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"GnuTLS is a secure communications library implementing the SSL, TLS and DTLS\\nprotocols and technologies around them. It provides a simple C language\\napplication programming interface (API) to access the secure communications\\nprotocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and\\nother required structures.\\nThis package contains command line TLS client and server and certificate\\nmanipulation tools.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"DEBIAN_FRONTEND=noninteractive apt-get install -y \\\"gnutls-utils\\\"\",\n \"id\": \"package_gnutls-utils_installed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Ensure gnutls-utils is installed\\n package:\\n name: gnutls-utils\\n state: present\\n tags:\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - package_gnutls-utils_installed\",\n \"id\": \"package_gnutls-utils_installed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include install_gnutls-utils\\n\\nclass install_gnutls-utils {\\n package { 'gnutls-utils':\\n ensure => 'installed',\\n }\\n}\",\n \"id\": \"package_gnutls-utils_installed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[[packages]]\\nname = \\\"gnutls-utils\\\"\\nversion = \\\"*\\\"\",\n \"id\": \"package_gnutls-utils_installed\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_gnutls-utils_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Thepackage can be installed with the following command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Thepackage can be installed with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_system-tools",
+ "group_title": "System Tooling / Utilities",
+ "group_description": "The following checks evaluate the system for recommended base packages -- both for installation\nand removal.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_nss-tools_installed",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_nss-tools_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "FMT_SMF_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_nss-tools_installed",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "FMT_SMF_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure nss-tools is installed",
+ "id": "xccdf_org.ssgproject.content_rule_package_nss-tools_installed",
+ "desc": "Thepackage can be installed with the following command:",
+ "descriptions": [
+ {
+ "data": "Network Security Services (NSS) is a set of libraries designed to\nsupport cross-platform development of security-enabled client and\nserver applications. Install thepackage\nto install command-line tools to manipulate the NSS certificate\nand key database.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure nss-tools is installed\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"nss-tools\",\n \"pre\": \"$ apt-get install nss-tools\",\n \"text\": \"Thepackage can be installed with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"FMT_SMF_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"nss-tools\",\n \"text\": \"Network Security Services (NSS) is a set of libraries designed to\\nsupport cross-platform development of security-enabled client and\\nserver applications. Install thepackage\\nto install command-line tools to manipulate the NSS certificate\\nand key database.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"DEBIAN_FRONTEND=noninteractive apt-get install -y \\\"nss-tools\\\"\",\n \"id\": \"package_nss-tools_installed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Ensure nss-tools is installed\\n package:\\n name: nss-tools\\n state: present\\n tags:\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - package_nss-tools_installed\",\n \"id\": \"package_nss-tools_installed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include install_nss-tools\\n\\nclass install_nss-tools {\\n package { 'nss-tools':\\n ensure => 'installed',\\n }\\n}\",\n \"id\": \"package_nss-tools_installed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[[packages]]\\nname = \\\"nss-tools\\\"\\nversion = \\\"*\\\"\",\n \"id\": \"package_nss-tools_installed\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_nss-tools_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_package_nss-tools_installed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Thepackage can be installed with the following command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366",
+ "CCI-001227"
+ ],
+ "nist": [
+ "CM-6 b",
+ "SI-2 a",
+ "SI-2 (5)",
+ "SI-2 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "If the system has an apt repository available, run the following command to install updates:NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy\ndictates.",
+ "group_id": "xccdf_org.ssgproject.content_group_updating",
+ "group_title": "Updating Software",
+ "group_description": "Thecommand line tool is used to install and\nupdate software packages. The system also provides a graphical\nsoftware update tool in themenu, in thesubmenu,\ncalled.Ubuntu 18.04 systems contain an installed software catalog called\nthe RPM database, which records metadata of installed packages. Consistently usingor the graphicalfor all software installation\nallows for insight into the current inventory of installed software on the system.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_security_patches_up_to_date",
+ "check": "\"\"",
+ "fix_id": "security_patches_up_to_date",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R08)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "20",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.10.4.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO12.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001227",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.2.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.2.3.12",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.2.3.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.2.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "A.12.6.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "SI-2(5)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SI-2(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "ID.RA-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-12",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FMT_MOF_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-6.2",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-VMM-002000",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notchecked",
+ "message": {
+ "text": "No candidate or applicable check found.",
+ "severity": "info"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_security_patches_up_to_date",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R08)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "20",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.10.4.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO12.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001227",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.2.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.2.3.12",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.2.3.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.2.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "A.12.6.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "SI-2(5)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SI-2(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "ID.RA-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-12",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FMT_MOF_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-6.2",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-VMM-002000"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Software Patches Installed",
+ "id": "xccdf_org.ssgproject.content_rule_security_patches_up_to_date",
+ "desc": "If the system has an apt repository available, run the following command to install updates:NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy\ndictates.",
+ "descriptions": [
+ {
+ "data": "- name: Security patches are up to date\n package:\n name: '*'\n state: latest\n tags:\n - CJIS-5.10.4.1\n - NIST-800-53-CM-6(a)\n - NIST-800-53-SI-2(5)\n - NIST-800-53-SI-2(c)\n - PCI-DSS-Req-6.2\n - high_disruption\n - low_complexity\n - medium_severity\n - patch_strategy\n - reboot_required\n - security_patches_up_to_date\n - skip_ansible_lint",
+ "label": "fix"
+ },
+ {
+ "data": "Installing software updates is a fundamental mitigation against\nthe exploitation of publicly-known vulnerabilities. If the most\nrecent security patches and updates are not installed, unauthorized\nusers may take advantage of weaknesses in the unpatched software. The\nlack of prompt attention to patching could result in a system compromise.",
+ "label": "rationale"
+ },
+ {
+ "data": "Ubuntu 18.04 does not have a corresponding OVAL CVE Feed. Therefore, this will result in a \"not checked\" result during a scan.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Software Patches Installed\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": \"$ apt update && apt full-upgrade\",\n \"br\": [\n \"\",\n \"\"\n ],\n \"text\": \"If the system has an apt repository available, run the following command to install updates:NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy\\ndictates.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Ubuntu 18.04 does not have a corresponding OVAL CVE Feed. Therefore, this will result in a \\\"not checked\\\" result during a scan.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R08)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"20\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.10.4.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO12.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001227\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.2.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.2.3.12\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.2.3.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.2.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"A.12.6.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"SI-2(5)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SI-2(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"ID.RA-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-12\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FMT_MOF_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-6.2\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-VMM-002000\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Installing software updates is a fundamental mitigation against\\nthe exploitation of publicly-known vulnerabilities. If the most\\nrecent security patches and updates are not installed, unauthorized\\nusers may take advantage of weaknesses in the unpatched software. The\\nlack of prompt attention to patching could result in a system compromise.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"- name: Security patches are up to date\\n package:\\n name: '*'\\n state: latest\\n tags:\\n - CJIS-5.10.4.1\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-SI-2(5)\\n - NIST-800-53-SI-2(c)\\n - PCI-DSS-Req-6.2\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - patch_strategy\\n - reboot_required\\n - security_patches_up_to_date\\n - skip_ansible_lint\",\n \"id\": \"security_patches_up_to_date\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"high\",\n \"strategy\": \"patch\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_security_patches_up_to_date\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If the system has an apt repository available, run the following command to install updates:NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy\ndictates.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Prefer installation of 64-bit operating systems when the CPU supports it.",
+ "group_id": "xccdf_org.ssgproject.content_group_software",
+ "group_title": "Installing and Maintaining Software",
+ "group_description": "The following sections contain information on\nsecurity-relevant choices during the initial operating system\ninstallation process and the setup of software\nupdates.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_prefer_64bit_os",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-prefer_64bit_os:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-prefer_64bit_os_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "BP28(R10)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_prefer_64bit_os",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/",
+ "ref": [
+ {
+ "text": "BP28(R10)"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Prefer to use a 64-bit Operating System when supported",
+ "id": "xccdf_org.ssgproject.content_rule_prefer_64bit_os",
+ "desc": "Prefer installation of 64-bit operating systems when the CPU supports it.",
+ "descriptions": [
+ {
+ "data": "Use of a 64-bit operating system offers a few advantages, like a larger address space range for\nAddress Space Layout Randomization (ASLR) and systematic presence of No eXecute and Execute Disable (NX/XD) protection bits.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation besides installing a 64-bit operating system.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Prefer to use a 64-bit Operating System when supported\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"Prefer installation of 64-bit operating systems when the CPU supports it.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation besides installing a 64-bit operating system.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": {\n \"text\": \"BP28(R10)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n \"rationale\": {\n \"text\": \"Use of a 64-bit operating system offers a few advantages, like a larger address space range for\\nAddress Space Layout Randomization (ASLR) and systematic presence of No eXecute and Execute Disable (NX/XD) protection bits.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-prefer_64bit_os:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-prefer_64bit_os_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_prefer_64bit_os\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Prefer installation of 64-bit operating systems when the CPU supports it.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000044"
+ ],
+ "nist": [
+ "AC-7 a",
+ "AC-7 a."
+ ],
+ "severity": "medium",
+ "description": "PAM faillock locks an account due to excessive password failures, this event must be logged.",
+ "group_id": "xccdf_org.ssgproject.content_group_locking_out_password_attempts",
+ "group_title": "Set Lockouts for Failed Password Attempts",
+ "group_description": "ThePAM module provides the capability to\nlock out user accounts after a number of failed login attempts. Its\ndocumentation is available in.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-account_passwords_pam_faillock_audit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-account_passwords_pam_faillock_audit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000044",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-7 (a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000021-GPOS-00005",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000044",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-7 (a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000021-GPOS-00005",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Account Lockouts Must Be Logged",
+ "id": "xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit",
+ "desc": "PAM faillock locks an account due to excessive password failures, this event must be logged.",
+ "descriptions": [
+ {
+ "data": "Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.",
+ "label": "rationale"
+ },
+ {
+ "data": "This rule is deprecated in favor of therule.\nPlease consider replacing this rule in your files as it is not expected to receive\nupdates as of version.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Account Lockouts Must Be Logged\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"PAM faillock locks an account due to excessive password failures, this event must be logged.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"code\": [\n \"accounts_passwords_pam_faillock_audit\",\n \"0.1.65\"\n ],\n \"text\": \"This rule is deprecated in favor of therule.\\nPlease consider replacing this rule in your files as it is not expected to receive\\nupdates as of version.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000044\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-7 (a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000021-GPOS-00005\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-account_passwords_pam_faillock_audit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-account_passwords_pam_faillock_audit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "PAM faillock locks an account due to excessive password failures, this event must be logged.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000044"
+ ],
+ "nist": [
+ "AC-7 a",
+ "AC-7 a."
+ ],
+ "severity": "medium",
+ "description": "By setting a `dir` in the faillock configuration account lockouts will persist across reboots.",
+ "group_id": "xccdf_org.ssgproject.content_group_locking_out_password_attempts",
+ "group_title": "Set Lockouts for Failed Password Attempts",
+ "group_description": "ThePAM module provides the capability to\nlock out user accounts after a number of failed login attempts. Its\ndocumentation is available in.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_dir",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000044",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-7 (a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_dir",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000044",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-7 (a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Account Lockouts Must Persist",
+ "id": "xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_dir",
+ "desc": "By setting a `dir` in the faillock configuration account lockouts will persist across reboots.",
+ "descriptions": [
+ {
+ "data": "ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1",
+ "label": "check"
+ },
+ {
+ "data": "Having lockouts persist across reboots ensures that account is only unlocked by an administrator.\nIf the lockouts did not persist across reboots an attack could simply reboot the system to continue brute force attacks against the accounts on the system.",
+ "label": "rationale"
+ },
+ {
+ "data": "This rule is deprecated in favor of therule.\nPlease consider replacing this rule in your files as it is not expected to receive\nupdates as of version.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Account Lockouts Must Persist\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"By setting a `dir` in the faillock configuration account lockouts will persist across reboots.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"code\": [\n \"accounts_passwords_pam_faillock_dir\",\n \"0.1.65\"\n ],\n \"text\": \"This rule is deprecated in favor of therule.\\nPlease consider replacing this rule in your files as it is not expected to receive\\nupdates as of version.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000044\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-7 (a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Having lockouts persist across reboots ensures that account is only unlocked by an administrator.\\nIf the lockouts did not persist across reboots an attack could simply reboot the system to continue brute force attacks against the accounts on the system.\",\n \"lang\": \"en-US\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_dir\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "By setting a `dir` in the faillock configuration account lockouts will persist across reboots.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000044"
+ ],
+ "nist": [
+ "AC-7 a",
+ "AC-7 a."
+ ],
+ "severity": "medium",
+ "description": "PAM faillock locks an account due to excessive password failures, this event must be logged.",
+ "group_id": "xccdf_org.ssgproject.content_group_locking_out_password_attempts",
+ "group_title": "Set Lockouts for Failed Password Attempts",
+ "group_description": "ThePAM module provides the capability to\nlock out user accounts after a number of failed login attempts. Its\ndocumentation is available in.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_passwords_pam_faillock_audit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_passwords_pam_faillock_audit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000044",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-7 (a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000021-GPOS-00005",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000044",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-7 (a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000021-GPOS-00005",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Account Lockouts Must Be Logged",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit",
+ "desc": "PAM faillock locks an account due to excessive password failures, this event must be logged.",
+ "descriptions": [
+ {
+ "data": "Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Account Lockouts Must Be Logged\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"PAM faillock locks an account due to excessive password failures, this event must be logged.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000044\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-7 (a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000021-GPOS-00005\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_passwords_pam_faillock_audit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_passwords_pam_faillock_audit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "PAM faillock locks an account due to excessive password failures, this event must be logged.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002038"
+ ],
+ "nist": [
+ "IA-11"
+ ],
+ "severity": "medium",
+ "description": "Verify the operating system is not configured to bypass password requirements for privilege\nescalation. Check the configuration of the \"/etc/pam.d/sudo\" file with the following command:If any occurrences of \"pam_succeed_if\" is returned from the command, this is a finding.",
+ "group_id": "xccdf_org.ssgproject.content_group_accounts-pam",
+ "group_title": "Protect Accounts by Configuring PAM",
+ "group_description": "PAM, or Pluggable Authentication Modules, is a system\nwhich implements modular authentication for Linux programs. PAM provides\na flexible and configurable architecture for authentication, and it should be configured\nto minimize exposure to unnecessary risk. This section contains\nguidance on how to accomplish that.PAM is implemented as a set of shared objects which are\nloaded and invoked whenever an application wishes to authenticate a\nuser. Typically, the application must be running as root in order\nto take advantage of PAM, because PAM's modules often need to be able\nto access sensitive stores of account information, such as /etc/shadow.\nTraditional privileged network listeners\n(e.g. sshd) or SUID programs (e.g. sudo) already meet this\nrequirement. An SUID root application, userhelper, is provided so\nthat programs which are not SUID or privileged themselves can still\ntake advantage of PAM.PAM looks in the directoryfor\napplication-specific configuration information. For instance, if\nthe program login attempts to authenticate a user, then PAM's\nlibraries follow the instructions in the fileto determine what actions should be taken.One very important file inis. This file, which is included by\nmany other PAM configuration files, defines 'default' system authentication\nmeasures. Modifying this file is a good way to make far-reaching\nauthentication changes, for instance when implementing a\ncentralized authentication service.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-disallow_bypass_password_sudo:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-disallow_bypass_password_sudo_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-002038",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "IA-11",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000373-GPOS-00156",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000373-GPOS-00157",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000373-GPOS-00158",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-002038",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "IA-11",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000373-GPOS-00156",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000373-GPOS-00157",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000373-GPOS-00158",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Disallow Configuration to Bypass Password Requirements for Privilege Escalation",
+ "id": "xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo",
+ "desc": "Verify the operating system is not configured to bypass password requirements for privilege\nescalation. Check the configuration of the \"/etc/pam.d/sudo\" file with the following command:If any occurrences of \"pam_succeed_if\" is returned from the command, this is a finding.",
+ "descriptions": [
+ {
+ "data": "Without re-authentication, users may access resources or perform tasks for which they do not\nhave authorization. When operating systems provide the capability to escalate a functional\ncapability, it is critical the user re-authenticate.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disallow Configuration to Bypass Password Requirements for Privilege Escalation\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": \"$ sudo grep pam_succeed_if /etc/pam.d/sudo\",\n \"text\": \"Verify the operating system is not configured to bypass password requirements for privilege\\nescalation. Check the configuration of the \\\"/etc/pam.d/sudo\\\" file with the following command:If any occurrences of \\\"pam_succeed_if\\\" is returned from the command, this is a finding.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-002038\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"IA-11\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000373-GPOS-00156\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000373-GPOS-00157\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000373-GPOS-00158\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Without re-authentication, users may access resources or perform tasks for which they do not\\nhave authorization. When operating systems provide the capability to escalate a functional\\ncapability, it is critical the user re-authenticate.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#package_pam\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-disallow_bypass_password_sudo:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-disallow_bypass_password_sudo_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Verify the operating system is not configured to bypass password requirements for privilege\nescalation. Check the configuration of the \"/etc/pam.d/sudo\" file with the following command:If any occurrences of \"pam_succeed_if\" is returned from the command, this is a finding.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000052"
+ ],
+ "nist": [
+ "AC-9",
+ "AC-9 (1)"
+ ],
+ "severity": "low",
+ "description": "To configure the system to notify users of last logon/access\nusing, add or correct thesettings into read as follows:And make sure that theoption is not set formodule.",
+ "group_id": "xccdf_org.ssgproject.content_group_accounts-pam",
+ "group_title": "Protect Accounts by Configuring PAM",
+ "group_description": "PAM, or Pluggable Authentication Modules, is a system\nwhich implements modular authentication for Linux programs. PAM provides\na flexible and configurable architecture for authentication, and it should be configured\nto minimize exposure to unnecessary risk. This section contains\nguidance on how to accomplish that.PAM is implemented as a set of shared objects which are\nloaded and invoked whenever an application wishes to authenticate a\nuser. Typically, the application must be running as root in order\nto take advantage of PAM, because PAM's modules often need to be able\nto access sensitive stores of account information, such as /etc/shadow.\nTraditional privileged network listeners\n(e.g. sshd) or SUID programs (e.g. sudo) already meet this\nrequirement. An SUID root application, userhelper, is provided so\nthat programs which are not SUID or privileged themselves can still\ntake advantage of PAM.PAM looks in the directoryfor\napplication-specific configuration information. For instance, if\nthe program login attempts to authenticate a user, then PAM's\nlibraries follow the instructions in the fileto determine what actions should be taken.One very important file inis. This file, which is included by\nmany other PAM configuration files, defines 'default' system authentication\nmeasures. Modifying this file is a good way to make far-reaching\nauthentication changes, for instance when implementing a\ncentralized authentication service.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_display_login_attempts",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-display_login_attempts:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-display_login_attempts_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "display_login_attempts",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000052",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0582",
+ "href": ""
+ },
+ {
+ "text": "0584",
+ "href": ""
+ },
+ {
+ "text": "05885",
+ "href": ""
+ },
+ {
+ "text": "0586",
+ "href": ""
+ },
+ {
+ "text": "0846",
+ "href": ""
+ },
+ {
+ "text": "0957",
+ "href": ""
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-9",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-9(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.2.4",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_display_login_attempts",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000052",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0582"
+ },
+ {
+ "ref": "0584"
+ },
+ {
+ "ref": "05885"
+ },
+ {
+ "ref": "0586"
+ },
+ {
+ "ref": "0846"
+ },
+ {
+ "ref": "0957"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-9",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-9(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.2.4",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure PAM Displays Last Logon/Access Notification",
+ "id": "xccdf_org.ssgproject.content_rule_display_login_attempts",
+ "desc": "To configure the system to notify users of last logon/access\nusing, add or correct thesettings into read as follows:And make sure that theoption is not set formodule.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\nif [ -e \"/etc/pam.d/login\" ] ; then\n PAM_FILE_PATH=\"/etc/pam.d/login\"\n if [ -f /usr/bin/authselect ]; then\n \n if ! authselect check; then\n echo \"\n authselect integrity check failed. Remediation aborted!\n This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.\n It is not recommended to manually edit the PAM files when authselect tool is available.\n In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.\"\n exit 1\n fi\n\n CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')\n # If not already in use, a custom profile is created preserving the enabled features.\n if [[ ! $CURRENT_PROFILE == custom/* ]]; then\n ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')\n authselect create-profile hardening -b $CURRENT_PROFILE\n CURRENT_PROFILE=\"custom/hardening\"\n \n authselect apply-changes -b --backup=before-hardening-custom-profile\n authselect select $CURRENT_PROFILE\n for feature in $ENABLED_FEATURES; do\n authselect enable-feature $feature;\n done\n \n authselect apply-changes -b --backup=after-hardening-custom-profile\n fi\n PAM_FILE_NAME=$(basename \"/etc/pam.d/login\")\n PAM_FILE_PATH=\"/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME\"\n\n authselect apply-changes -b\n fi\n if ! grep -qP '^\\s*session\\s+'\"required\"'\\s+pam_lastlog.so\\s*.*' \"$PAM_FILE_PATH\"; then\n # Line matching group + control + module was not found. Check group + module.\n if [ \"$(grep -cP '^\\s*session\\s+.*\\s+pam_lastlog.so\\s*' \"$PAM_FILE_PATH\")\" -eq 1 ]; then\n # The control is updated only if one single line matches.\n sed -i -E --follow-symlinks 's/^(\\s*session\\s+).*(\\bpam_lastlog.so.*)/\\1'\"required\"' \\2/' \"$PAM_FILE_PATH\"\n else\n sed -i --follow-symlinks '1i session '\"required\"' pam_lastlog.so' \"$PAM_FILE_PATH\"\n fi\n fi\n # Check the option\n if ! grep -qP '^\\s*session\\s+'\"required\"'\\s+pam_lastlog.so\\s*.*\\sshowfailed\\b' \"$PAM_FILE_PATH\"; then\n sed -i -E --follow-symlinks '/\\s*session\\s+'\"required\"'\\s+pam_lastlog.so.*/ s/$/ showfailed/' \"$PAM_FILE_PATH\"\n fi\n if [ -f /usr/bin/authselect ]; then\n \n authselect apply-changes -b\n fi\nelse\n echo \"/etc/pam.d/login was not found\" >&2\nfi\nif [ -e \"/etc/pam.d/login\" ] ; then\n PAM_FILE_PATH=\"/etc/pam.d/login\"\n if [ -f /usr/bin/authselect ]; then\n \n if ! authselect check; then\n echo \"\n authselect integrity check failed. Remediation aborted!\n This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.\n It is not recommended to manually edit the PAM files when authselect tool is available.\n In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.\"\n exit 1\n fi\n\n CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')\n # If not already in use, a custom profile is created preserving the enabled features.\n if [[ ! $CURRENT_PROFILE == custom/* ]]; then\n ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')\n authselect create-profile hardening -b $CURRENT_PROFILE\n CURRENT_PROFILE=\"custom/hardening\"\n \n authselect apply-changes -b --backup=before-hardening-custom-profile\n authselect select $CURRENT_PROFILE\n for feature in $ENABLED_FEATURES; do\n authselect enable-feature $feature;\n done\n \n authselect apply-changes -b --backup=after-hardening-custom-profile\n fi\n PAM_FILE_NAME=$(basename \"/etc/pam.d/login\")\n PAM_FILE_PATH=\"/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME\"\n\n authselect apply-changes -b\n fi\n \nif grep -qP '^\\s*session\\s.*\\bpam_lastlog.so\\s.*\\bsilent\\b' \"$PAM_FILE_PATH\"; then\n sed -i -E --follow-symlinks 's/(.*session.*pam_lastlog.so.*)\\bsilent\\b=?[[:alnum:]]*(.*)/\\1\\2/g' \"$PAM_FILE_PATH\"\nfi\n if [ -f /usr/bin/authselect ]; then\n \n authselect apply-changes -b\n fi\nelse\n echo \"/etc/pam.d/login was not found\" >&2\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Users need to be aware of activity that occurs regarding\ntheir account. Providing users with information regarding the number\nof unsuccessful attempts that were made to login to their account\nallows the user to determine if any unauthorized activity has occurred\nand gives them an opportunity to notify administrators.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure PAM Displays Last Logon/Access Notification\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"pam_lastlog\",\n \"pam_lastlog\",\n \"/etc/pam.d/login\",\n \"silent\",\n \"pam_lastlog\"\n ],\n \"pre\": \"session required pam_lastlog.so showfailed\",\n \"text\": \"To configure the system to notify users of last logon/access\\nusing, add or correct thesettings into read as follows:And make sure that theoption is not set formodule.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000052\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0582\",\n \"href\": \"\"\n },\n {\n \"text\": \"0584\",\n \"href\": \"\"\n },\n {\n \"text\": \"05885\",\n \"href\": \"\"\n },\n {\n \"text\": \"0586\",\n \"href\": \"\"\n },\n {\n \"text\": \"0846\",\n \"href\": \"\"\n },\n {\n \"text\": \"0957\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-9\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-9(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.2.4\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Users need to be aware of activity that occurs regarding\\ntheir account. Providing users with information regarding the number\\nof unsuccessful attempts that were made to login to their account\\nallows the user to determine if any unauthorized activity has occurred\\nand gives them an opportunity to notify administrators.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#package_pam\"\n },\n \"fix\": {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\\n\\nif [ -e \\\"/etc/pam.d/login\\\" ] ; then\\n PAM_FILE_PATH=\\\"/etc/pam.d/login\\\"\\n if [ -f /usr/bin/authselect ]; then\\n \\n if ! authselect check; then\\n echo \\\"\\n authselect integrity check failed. Remediation aborted!\\n This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.\\n It is not recommended to manually edit the PAM files when authselect tool is available.\\n In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.\\\"\\n exit 1\\n fi\\n\\n CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')\\n # If not already in use, a custom profile is created preserving the enabled features.\\n if [[ ! $CURRENT_PROFILE == custom/* ]]; then\\n ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')\\n authselect create-profile hardening -b $CURRENT_PROFILE\\n CURRENT_PROFILE=\\\"custom/hardening\\\"\\n \\n authselect apply-changes -b --backup=before-hardening-custom-profile\\n authselect select $CURRENT_PROFILE\\n for feature in $ENABLED_FEATURES; do\\n authselect enable-feature $feature;\\n done\\n \\n authselect apply-changes -b --backup=after-hardening-custom-profile\\n fi\\n PAM_FILE_NAME=$(basename \\\"/etc/pam.d/login\\\")\\n PAM_FILE_PATH=\\\"/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME\\\"\\n\\n authselect apply-changes -b\\n fi\\n if ! grep -qP '^\\\\s*session\\\\s+'\\\"required\\\"'\\\\s+pam_lastlog.so\\\\s*.*' \\\"$PAM_FILE_PATH\\\"; then\\n # Line matching group + control + module was not found. Check group + module.\\n if [ \\\"$(grep -cP '^\\\\s*session\\\\s+.*\\\\s+pam_lastlog.so\\\\s*' \\\"$PAM_FILE_PATH\\\")\\\" -eq 1 ]; then\\n # The control is updated only if one single line matches.\\n sed -i -E --follow-symlinks 's/^(\\\\s*session\\\\s+).*(\\\\bpam_lastlog.so.*)/\\\\1'\\\"required\\\"' \\\\2/' \\\"$PAM_FILE_PATH\\\"\\n else\\n sed -i --follow-symlinks '1i session '\\\"required\\\"' pam_lastlog.so' \\\"$PAM_FILE_PATH\\\"\\n fi\\n fi\\n # Check the option\\n if ! grep -qP '^\\\\s*session\\\\s+'\\\"required\\\"'\\\\s+pam_lastlog.so\\\\s*.*\\\\sshowfailed\\\\b' \\\"$PAM_FILE_PATH\\\"; then\\n sed -i -E --follow-symlinks '/\\\\s*session\\\\s+'\\\"required\\\"'\\\\s+pam_lastlog.so.*/ s/$/ showfailed/' \\\"$PAM_FILE_PATH\\\"\\n fi\\n if [ -f /usr/bin/authselect ]; then\\n \\n authselect apply-changes -b\\n fi\\nelse\\n echo \\\"/etc/pam.d/login was not found\\\" >&2\\nfi\\nif [ -e \\\"/etc/pam.d/login\\\" ] ; then\\n PAM_FILE_PATH=\\\"/etc/pam.d/login\\\"\\n if [ -f /usr/bin/authselect ]; then\\n \\n if ! authselect check; then\\n echo \\\"\\n authselect integrity check failed. Remediation aborted!\\n This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.\\n It is not recommended to manually edit the PAM files when authselect tool is available.\\n In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.\\\"\\n exit 1\\n fi\\n\\n CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')\\n # If not already in use, a custom profile is created preserving the enabled features.\\n if [[ ! $CURRENT_PROFILE == custom/* ]]; then\\n ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')\\n authselect create-profile hardening -b $CURRENT_PROFILE\\n CURRENT_PROFILE=\\\"custom/hardening\\\"\\n \\n authselect apply-changes -b --backup=before-hardening-custom-profile\\n authselect select $CURRENT_PROFILE\\n for feature in $ENABLED_FEATURES; do\\n authselect enable-feature $feature;\\n done\\n \\n authselect apply-changes -b --backup=after-hardening-custom-profile\\n fi\\n PAM_FILE_NAME=$(basename \\\"/etc/pam.d/login\\\")\\n PAM_FILE_PATH=\\\"/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME\\\"\\n\\n authselect apply-changes -b\\n fi\\n \\nif grep -qP '^\\\\s*session\\\\s.*\\\\bpam_lastlog.so\\\\s.*\\\\bsilent\\\\b' \\\"$PAM_FILE_PATH\\\"; then\\n sed -i -E --follow-symlinks 's/(.*session.*pam_lastlog.so.*)\\\\bsilent\\\\b=?[[:alnum:]]*(.*)/\\\\1\\\\2/g' \\\"$PAM_FILE_PATH\\\"\\nfi\\n if [ -f /usr/bin/authselect ]; then\\n \\n authselect apply-changes -b\\n fi\\nelse\\n echo \\\"/etc/pam.d/login was not found\\\" >&2\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"display_login_attempts\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-display_login_attempts:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-display_login_attempts_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_display_login_attempts\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure the system to notify users of last logon/access\nusing, add or correct thesettings into read as follows:And make sure that theoption is not set formodule.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000770",
+ "CCI-000804"
+ ],
+ "nist": [
+ "IA-2 (5)",
+ "IA-8"
+ ],
+ "severity": "medium",
+ "description": "Ensure accounts on the system have unique names.\n\nTo ensure all accounts have unique names, run the following command:If a username is returned, change or delete the username.",
+ "group_id": "xccdf_org.ssgproject.content_group_account_expiration",
+ "group_title": "Set Account Expiration Parameters",
+ "group_description": "Accounts can be configured to be automatically disabled\nafter a certain time period,\nmeaning that they will require administrator interaction to become usable again.\nExpiration of accounts after inactivity can be set for all accounts by default\nand also on a per-account basis, such as for accounts that are known to be temporary.\nTo configure automatic expiration of an account following\nthe expiration of its password (that is, after the password has expired and not been changed),\nrun the following command, substitutingandappropriately:Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with theoption.\nThe filecontrols\ndefault settings for all newly-created accounts created with the system's\nnormal command line utilities.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_account_unique_name",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-account_unique_name:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-account_unique_name_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "5.5.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "CCI-000770",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000804",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "Req-8.1.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_account_unique_name",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "5.5.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "CCI-000770",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000804",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "Req-8.1.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure All Accounts on the System Have Unique Names",
+ "id": "xccdf_org.ssgproject.content_rule_account_unique_name",
+ "desc": "Ensure accounts on the system have unique names.\n\nTo ensure all accounts have unique names, run the following command:If a username is returned, change or delete the username.",
+ "descriptions": [
+ {
+ "data": "Unique usernames allow for accountability on the system.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure All Accounts on the System Have Unique Names\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": \"$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d\",\n \"text\": \"Ensure accounts on the system have unique names.\\n\\nTo ensure all accounts have unique names, run the following command:If a username is returned, change or delete the username.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"5.5.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"CCI-000770\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000804\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"Req-8.1.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Unique usernames allow for accountability on the system.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-account_unique_name:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-account_unique_name_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_account_unique_name\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Ensure accounts on the system have unique names.\n\nTo ensure all accounts have unique names, run the following command:If a username is returned, change or delete the username.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Implement an automated system for managing user accounts that minimizes the\nrisk of errors, either intentional or deliberate. This system\nshould integrate with an existing enterprise user management system, such as\none based on Identity Management tools such as Active Directory, Kerberos,\nDirectory Server, etc.",
+ "group_id": "xccdf_org.ssgproject.content_group_account_expiration",
+ "group_title": "Set Account Expiration Parameters",
+ "group_description": "Accounts can be configured to be automatically disabled\nafter a certain time period,\nmeaning that they will require administrator interaction to become usable again.\nExpiration of accounts after inactivity can be set for all accounts by default\nand also on a per-account basis, such as for accounts that are known to be temporary.\nTo configure automatic expiration of an account following\nthe expiration of its password (that is, after the password has expired and not been changed),\nrun the following command, substitutingandappropriately:Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with theoption.\nThe filecontrols\ndefault settings for all newly-created accounts created with the system's\nnormal command line utilities.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_account_use_centralized_automated_auth",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-account_use_centralized_automated_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_account_use_centralized_automated_auth",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Use Centralized and Automated Authentication",
+ "id": "xccdf_org.ssgproject.content_rule_account_use_centralized_automated_auth",
+ "desc": "Implement an automated system for managing user accounts that minimizes the\nrisk of errors, either intentional or deliberate. This system\nshould integrate with an existing enterprise user management system, such as\none based on Identity Management tools such as Active Directory, Kerberos,\nDirectory Server, etc.",
+ "descriptions": [
+ {
+ "data": "ocil:ssg-account_use_centralized_automated_auth_ocil:questionnaire:1",
+ "label": "check"
+ },
+ {
+ "data": "A comprehensive account management process that includes automation helps to\nensure the accounts designated as requiring attention are consistently and\npromptly addressed. Enterprise environments make user account management\nchallenging and complex. A user management process requiring administrators to\nmanually address account management functions adds risk of potential\noversight.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Use Centralized and Automated Authentication\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"Implement an automated system for managing user accounts that minimizes the\\nrisk of errors, either intentional or deliberate. This system\\nshould integrate with an existing enterprise user management system, such as\\none based on Identity Management tools such as Active Directory, Kerberos,\\nDirectory Server, etc.\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"A comprehensive account management process that includes automation helps to\\nensure the accounts designated as requiring attention are consistently and\\npromptly addressed. Enterprise environments make user account management\\nchallenging and complex. A user management process requiring administrators to\\nmanually address account management functions adds risk of potential\\noversight.\",\n \"lang\": \"en-US\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-account_use_centralized_automated_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_account_use_centralized_automated_auth\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Implement an automated system for managing user accounts that minimizes the\nrisk of errors, either intentional or deliberate. This system\nshould integrate with an existing enterprise user management system, such as\none based on Identity Management tools such as Active Directory, Kerberos,\nDirectory Server, etc.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000199"
+ ],
+ "nist": [
+ "IA-5 (1) (d)",
+ "IA-5 f.",
+ "IA-5 (1) d.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To specify password maximum age for new accounts,\nedit the fileand add or correct the following line:A value of 180 days is sufficient for many environments.\nThe DoD requirement is 60.\nThe profile requirement is.",
+ "group_id": "xccdf_org.ssgproject.content_group_password_expiration",
+ "group_title": "Set Password Expiration Parameters",
+ "group_description": "The filecontrols several\npassword-related settings. Programs such as,, andconsultto determine\nbehavior with regard to password aging, expiration warnings,\nand length. See the man pagefor more information.Users should be forced to change their passwords, in order to\ndecrease the utility of compromised passwords. However, the need to\nchange passwords often should be balanced against the risk that\nusers will reuse or write down passwords if forced to change them\ntoo often. Forcing password changes every 90-360 days, depending on\nthe environment, is recommended. Set the appropriate value asand apply it to existing accounts with theflag.The() setting prevents password\nchanges for 7 days after the first change, to discourage password\ncycling. If you use this setting, train users to contact an administrator\nfor an emergency password change in case a new password becomes\ncompromised. The() setting gives\nusers 7 days of warnings at login time that their passwords are about to expire.For example, for each existing human user, expiration parameters\ncould be adjusted to a 180 day maximum password age, 7 day minimum password\nage, and 7 day warning period with the following command:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_maximum_age_login_defs:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_maximum_age_login_defs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "accounts_maximum_age_login_defs",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R18)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.6.2.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.5.6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000199",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0418",
+ "href": ""
+ },
+ {
+ "text": "1055",
+ "href": ""
+ },
+ {
+ "text": "1402",
+ "href": ""
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "IA-5(f)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "IA-5(1)(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.2.4",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000076-GPOS-00044",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "maximum password age",
+ "lang": "en-US"
+ },
+ "description": "Maximum age of password in days",
+ "value": [
+ {
+ "text": "365",
+ "selector": "365"
+ },
+ {
+ "text": "120",
+ "selector": "120"
+ },
+ {
+ "text": "180",
+ "selector": "180"
+ },
+ {
+ "text": "60",
+ "selector": "60"
+ },
+ {
+ "text": "90",
+ "selector": "90"
+ },
+ "60"
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs",
+ "type": "number"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "BP28(R18)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.6.2.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.5.6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000199",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0418"
+ },
+ {
+ "ref": "1055"
+ },
+ {
+ "ref": "1402"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "IA-5(f)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "IA-5(1)(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.2.4",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000076-GPOS-00044",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Set Password Maximum Age",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs",
+ "desc": "To specify password maximum age for new accounts,\nedit the fileand add or correct the following line:A value of 180 days is sufficient for many environments.\nThe DoD requirement is 60.\nThe profile requirement is.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'login' 2>/dev/null | grep -q installed; then\n\nvar_accounts_maximum_age_login_defs=''\n\n\ngrep -q ^PASS_MAX_DAYS /etc/login.defs && \\\n sed -i \"s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g\" /etc/login.defs\nif ! [ $? -eq 0 ]; then\n echo \"PASS_MAX_DAYS $var_accounts_maximum_age_login_defs\" >> /etc/login.defs\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords\nneed to be changed periodically. If the operating system does not limit the lifetime\nof passwords and force users to change their passwords, there is the risk that the\noperating system passwords could be compromised.Setting the password maximum age ensures users are required to\nperiodically change their passwords. Requiring shorter password lifetimes\nincreases the risk of users writing down the password in a convenient\nlocation subject to physical compromise.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set Password Maximum Age\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/login.defs\",\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs\",\n \"use\": \"legacy\"\n }\n }\n ],\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs\",\n \"use\": \"legacy\"\n },\n \"text\": \"PASS_MAX_DAYS\"\n },\n \"text\": \"To specify password maximum age for new accounts,\\nedit the fileand add or correct the following line:A value of 180 days is sufficient for many environments.\\nThe DoD requirement is 60.\\nThe profile requirement is.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R18)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.6.2.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.5.6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000199\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0418\",\n \"href\": \"\"\n },\n {\n \"text\": \"1055\",\n \"href\": \"\"\n },\n {\n \"text\": \"1402\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"IA-5(f)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"IA-5(1)(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.2.4\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000076-GPOS-00044\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"text\": \"Any password, no matter how complex, can eventually be cracked. Therefore, passwords\\nneed to be changed periodically. If the operating system does not limit the lifetime\\nof passwords and force users to change their passwords, there is the risk that the\\noperating system passwords could be compromised.Setting the password maximum age ensures users are required to\\nperiodically change their passwords. Requiring shorter password lifetimes\\nincreases the risk of users writing down the password in a convenient\\nlocation subject to physical compromise.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#login_defs\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'login' 2>/dev/null | grep -q installed; then\\n\\nvar_accounts_maximum_age_login_defs=''\\n\\n\\ngrep -q ^PASS_MAX_DAYS /etc/login.defs && \\\\\\n sed -i \\\"s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g\\\" /etc/login.defs\\nif ! [ $? -eq 0 ]; then\\n echo \\\"PASS_MAX_DAYS $var_accounts_maximum_age_login_defs\\\" >> /etc/login.defs\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"accounts_maximum_age_login_defs\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_maximum_age_login_defs:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_maximum_age_login_defs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To specify password maximum age for new accounts,\nedit the fileand add or correct the following line:A value of 180 days is sufficient for many environments.\nThe DoD requirement is 60.\nThe profile requirement is.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000198"
+ ],
+ "nist": [
+ "IA-5 (1) (d)",
+ "IA-5 f.",
+ "IA-5 (1) d.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To specify password minimum age for new accounts,\nedit the fileand add or correct the following line:A value of 1 day is considered sufficient for many\nenvironments. The DoD requirement is 1.\nThe profile requirement is.",
+ "group_id": "xccdf_org.ssgproject.content_group_password_expiration",
+ "group_title": "Set Password Expiration Parameters",
+ "group_description": "The filecontrols several\npassword-related settings. Programs such as,, andconsultto determine\nbehavior with regard to password aging, expiration warnings,\nand length. See the man pagefor more information.Users should be forced to change their passwords, in order to\ndecrease the utility of compromised passwords. However, the need to\nchange passwords often should be balanced against the risk that\nusers will reuse or write down passwords if forced to change them\ntoo often. Forcing password changes every 90-360 days, depending on\nthe environment, is recommended. Set the appropriate value asand apply it to existing accounts with theflag.The() setting prevents password\nchanges for 7 days after the first change, to discourage password\ncycling. If you use this setting, train users to contact an administrator\nfor an emergency password change in case a new password becomes\ncompromised. The() setting gives\nusers 7 days of warnings at login time that their passwords are about to expire.For example, for each existing human user, expiration parameters\ncould be adjusted to a 180 day maximum password age, 7 day minimum password\nage, and 7 day warning period with the following command:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_minimum_age_login_defs:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_minimum_age_login_defs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_minimum_age_login_defs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "accounts_minimum_age_login_defs",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.6.2.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.5.8",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000198",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0418",
+ "href": ""
+ },
+ {
+ "text": "1055",
+ "href": ""
+ },
+ {
+ "text": "1402",
+ "href": ""
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "IA-5(f)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "IA-5(1)(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.3.9",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000075-GPOS-00043",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "minimum password age",
+ "lang": "en-US"
+ },
+ "description": "Minimum age of password in days",
+ "value": [
+ {
+ "text": "0",
+ "selector": "0"
+ },
+ {
+ "text": "1",
+ "selector": "1"
+ },
+ {
+ "text": "2",
+ "selector": "2"
+ },
+ {
+ "text": "5",
+ "selector": "5"
+ },
+ {
+ "text": "7",
+ "selector": "7"
+ },
+ "7"
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs",
+ "type": "number"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.6.2.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.5.8",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000198",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0418"
+ },
+ {
+ "ref": "1055"
+ },
+ {
+ "ref": "1402"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "IA-5(f)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "IA-5(1)(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.3.9",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000075-GPOS-00043",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Set Password Minimum Age",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs",
+ "desc": "To specify password minimum age for new accounts,\nedit the fileand add or correct the following line:A value of 1 day is considered sufficient for many\nenvironments. The DoD requirement is 1.\nThe profile requirement is.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'login' 2>/dev/null | grep -q installed; then\n\nvar_accounts_minimum_age_login_defs=''\n\n\ngrep -q ^PASS_MIN_DAYS /etc/login.defs && \\\n sed -i \"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g\" /etc/login.defs\nif ! [ $? -eq 0 ]; then\n echo \"PASS_MIN_DAYS $var_accounts_minimum_age_login_defs\" >> /etc/login.defs\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Enforcing a minimum password lifetime helps to prevent repeated password\nchanges to defeat the password reuse or history enforcement requirement. If\nusers are allowed to immediately and continually change their password,\nthen the password could be repeatedly changed in a short period of time to\ndefeat the organization's policy regarding password reuse.Setting the minimum password age protects against users cycling back to a\nfavorite password after satisfying the password reuse requirement.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set Password Minimum Age\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/login.defs\",\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs\",\n \"use\": \"legacy\"\n }\n }\n ],\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs\",\n \"use\": \"legacy\"\n },\n \"text\": \"PASS_MIN_DAYS\"\n },\n \"text\": \"To specify password minimum age for new accounts,\\nedit the fileand add or correct the following line:A value of 1 day is considered sufficient for many\\nenvironments. The DoD requirement is 1.\\nThe profile requirement is.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.6.2.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.5.8\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000198\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0418\",\n \"href\": \"\"\n },\n {\n \"text\": \"1055\",\n \"href\": \"\"\n },\n {\n \"text\": \"1402\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"IA-5(f)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"IA-5(1)(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.3.9\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000075-GPOS-00043\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"text\": \"Enforcing a minimum password lifetime helps to prevent repeated password\\nchanges to defeat the password reuse or history enforcement requirement. If\\nusers are allowed to immediately and continually change their password,\\nthen the password could be repeatedly changed in a short period of time to\\ndefeat the organization's policy regarding password reuse.Setting the minimum password age protects against users cycling back to a\\nfavorite password after satisfying the password reuse requirement.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#login_defs\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'login' 2>/dev/null | grep -q installed; then\\n\\nvar_accounts_minimum_age_login_defs=''\\n\\n\\ngrep -q ^PASS_MIN_DAYS /etc/login.defs && \\\\\\n sed -i \\\"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g\\\" /etc/login.defs\\nif ! [ $? -eq 0 ]; then\\n echo \\\"PASS_MIN_DAYS $var_accounts_minimum_age_login_defs\\\" >> /etc/login.defs\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"accounts_minimum_age_login_defs\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_minimum_age_login_defs:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_minimum_age_login_defs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_minimum_age_login_defs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To specify password minimum age for new accounts,\nedit the fileand add or correct the following line:A value of 1 day is considered sufficient for many\nenvironments. The DoD requirement is 1.\nThe profile requirement is.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000205"
+ ],
+ "nist": [
+ "IA-5 (1) (a)",
+ "IA-5 f.",
+ "IA-5 (1) a.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To specify password length requirements for new accounts, edit the fileand add or correct the following line:The DoD requirement is.\nThe FISMA requirement is.\nThe profile requirement is.\nIf a program consultsand also another PAM module\n(such as) during a password change operation, then\nthe most restrictive must be satisfied. See PAM section for more\ninformation about enforcing password quality requirements.",
+ "group_id": "xccdf_org.ssgproject.content_group_password_expiration",
+ "group_title": "Set Password Expiration Parameters",
+ "group_description": "The filecontrols several\npassword-related settings. Programs such as,, andconsultto determine\nbehavior with regard to password aging, expiration warnings,\nand length. See the man pagefor more information.Users should be forced to change their passwords, in order to\ndecrease the utility of compromised passwords. However, the need to\nchange passwords often should be balanced against the risk that\nusers will reuse or write down passwords if forced to change them\ntoo often. Forcing password changes every 90-360 days, depending on\nthe environment, is recommended. Set the appropriate value asand apply it to existing accounts with theflag.The() setting prevents password\nchanges for 7 days after the first change, to discourage password\ncycling. If you use this setting, train users to contact an administrator\nfor an emergency password change in case a new password becomes\ncompromised. The() setting gives\nusers 7 days of warnings at login time that their passwords are about to expire.For example, for each existing human user, expiration parameters\ncould be adjusted to a 180 day maximum password age, 7 day minimum password\nage, and 7 day warning period with the following command:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_password_minlen_login_defs:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_password_minlen_login_defs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_password_minlen_login_defs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R18)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.6.2.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.5.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000205",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0421",
+ "href": ""
+ },
+ {
+ "text": "0422",
+ "href": ""
+ },
+ {
+ "text": "0431",
+ "href": ""
+ },
+ {
+ "text": "0974",
+ "href": ""
+ },
+ {
+ "text": "1173",
+ "href": ""
+ },
+ {
+ "text": "1401",
+ "href": ""
+ },
+ {
+ "text": "1504",
+ "href": ""
+ },
+ {
+ "text": "1505",
+ "href": ""
+ },
+ {
+ "text": "1546",
+ "href": ""
+ },
+ {
+ "text": "1557",
+ "href": ""
+ },
+ {
+ "text": "1558",
+ "href": ""
+ },
+ {
+ "text": "1559",
+ "href": ""
+ },
+ {
+ "text": "1560",
+ "href": ""
+ },
+ {
+ "text": "1561",
+ "href": ""
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "IA-5(f)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "IA-5(1)(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000078-GPOS-00046",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "minimum password length",
+ "lang": "en-US"
+ },
+ "description": "Minimum number of characters in password",
+ "warning": "This will only check new passwords",
+ "value": [
+ {
+ "text": "10",
+ "selector": "10"
+ },
+ {
+ "text": "12",
+ "selector": "12"
+ },
+ {
+ "text": "14",
+ "selector": "14"
+ },
+ {
+ "text": "15",
+ "selector": "15"
+ },
+ {
+ "text": "18",
+ "selector": "18"
+ },
+ {
+ "text": "20",
+ "selector": "20"
+ },
+ {
+ "text": "6",
+ "selector": "6"
+ },
+ {
+ "text": "8",
+ "selector": "8"
+ },
+ "15"
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs",
+ "type": "number"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "BP28(R18)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.6.2.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.5.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000205",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0421"
+ },
+ {
+ "ref": "0422"
+ },
+ {
+ "ref": "0431"
+ },
+ {
+ "ref": "0974"
+ },
+ {
+ "ref": "1173"
+ },
+ {
+ "ref": "1401"
+ },
+ {
+ "ref": "1504"
+ },
+ {
+ "ref": "1505"
+ },
+ {
+ "ref": "1546"
+ },
+ {
+ "ref": "1557"
+ },
+ {
+ "ref": "1558"
+ },
+ {
+ "ref": "1559"
+ },
+ {
+ "ref": "1560"
+ },
+ {
+ "ref": "1561"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "IA-5(f)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "IA-5(1)(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000078-GPOS-00046",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Set Password Minimum Length in login.defs",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs",
+ "desc": "To specify password length requirements for new accounts, edit the fileand add or correct the following line:The DoD requirement is.\nThe FISMA requirement is.\nThe profile requirement is.\nIf a program consultsand also another PAM module\n(such as) during a password change operation, then\nthe most restrictive must be satisfied. See PAM section for more\ninformation about enforcing password quality requirements.",
+ "descriptions": [
+ {
+ "data": "Requiring a minimum password length makes password\ncracking attacks more difficult by ensuring a larger\nsearch space. However, any security benefit from an onerous requirement\nmust be carefully weighed against usability problems, support costs, or counterproductive\nbehavior that may result.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set Password Minimum Length in login.defs\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/login.defs\",\n \"15\",\n \"12\",\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs\",\n \"use\": \"legacy\"\n }\n },\n \"/etc/login.defs\",\n \"pam_pwquality\"\n ],\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs\",\n \"use\": \"legacy\"\n },\n \"text\": \"PASS_MIN_LEN\"\n },\n \"br\": [\n \"\",\n \"\"\n ],\n \"text\": \"To specify password length requirements for new accounts, edit the fileand add or correct the following line:The DoD requirement is.\\nThe FISMA requirement is.\\nThe profile requirement is.\\nIf a program consultsand also another PAM module\\n(such as) during a password change operation, then\\nthe most restrictive must be satisfied. See PAM section for more\\ninformation about enforcing password quality requirements.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R18)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.6.2.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.5.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000205\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0421\",\n \"href\": \"\"\n },\n {\n \"text\": \"0422\",\n \"href\": \"\"\n },\n {\n \"text\": \"0431\",\n \"href\": \"\"\n },\n {\n \"text\": \"0974\",\n \"href\": \"\"\n },\n {\n \"text\": \"1173\",\n \"href\": \"\"\n },\n {\n \"text\": \"1401\",\n \"href\": \"\"\n },\n {\n \"text\": \"1504\",\n \"href\": \"\"\n },\n {\n \"text\": \"1505\",\n \"href\": \"\"\n },\n {\n \"text\": \"1546\",\n \"href\": \"\"\n },\n {\n \"text\": \"1557\",\n \"href\": \"\"\n },\n {\n \"text\": \"1558\",\n \"href\": \"\"\n },\n {\n \"text\": \"1559\",\n \"href\": \"\"\n },\n {\n \"text\": \"1560\",\n \"href\": \"\"\n },\n {\n \"text\": \"1561\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"IA-5(f)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"IA-5(1)(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000078-GPOS-00046\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Requiring a minimum password length makes password\\ncracking attacks more difficult by ensuring a larger\\nsearch space. However, any security benefit from an onerous requirement\\nmust be carefully weighed against usability problems, support costs, or counterproductive\\nbehavior that may result.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#login_defs\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_password_minlen_login_defs:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_password_minlen_login_defs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_password_minlen_login_defs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To specify password length requirements for new accounts, edit the fileand add or correct the following line:The DoD requirement is.\nThe FISMA requirement is.\nThe profile requirement is.\nIf a program consultsand also another PAM module\n(such as) during a password change operation, then\nthe most restrictive must be satisfied. See PAM section for more\ninformation about enforcing password quality requirements.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "IA-5 f.",
+ "IA-5 (1) d.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To specify how many days prior to password\nexpiration that a warning will be issued to users,\nedit the fileand add or correct\n the following line:The DoD requirement is 7.\nThe profile requirement is.",
+ "group_id": "xccdf_org.ssgproject.content_group_password_expiration",
+ "group_title": "Set Password Expiration Parameters",
+ "group_description": "The filecontrols several\npassword-related settings. Programs such as,, andconsultto determine\nbehavior with regard to password aging, expiration warnings,\nand length. See the man pagefor more information.Users should be forced to change their passwords, in order to\ndecrease the utility of compromised passwords. However, the need to\nchange passwords often should be balanced against the risk that\nusers will reuse or write down passwords if forced to change them\ntoo often. Forcing password changes every 90-360 days, depending on\nthe environment, is recommended. Set the appropriate value asand apply it to existing accounts with theflag.The() setting prevents password\nchanges for 7 days after the first change, to discourage password\ncycling. If you use this setting, train users to contact an administrator\nfor an emergency password change in case a new password becomes\ncompromised. The() setting gives\nusers 7 days of warnings at login time that their passwords are about to expire.For example, for each existing human user, expiration parameters\ncould be adjusted to a 180 day maximum password age, 7 day minimum password\nage, and 7 day warning period with the following command:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_password_warn_age_login_defs:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_password_warn_age_login_defs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_password_warn_age_login_defs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "accounts_password_warn_age_login_defs",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.5.8",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0418",
+ "href": ""
+ },
+ {
+ "text": "1055",
+ "href": ""
+ },
+ {
+ "text": "1402",
+ "href": ""
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "IA-5(f)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "IA-5(1)(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.3.9",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "warning days before password expires",
+ "lang": "en-US"
+ },
+ "description": "The number of days' warning given before a password expires.",
+ "warning": "This will only apply to newly created accounts",
+ "value": [
+ {
+ "text": "0",
+ "selector": "0"
+ },
+ {
+ "text": "14",
+ "selector": "14"
+ },
+ {
+ "text": "7",
+ "selector": "7"
+ },
+ "7"
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs",
+ "type": "number"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.5.8",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0418"
+ },
+ {
+ "ref": "1055"
+ },
+ {
+ "ref": "1402"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "IA-5(f)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "IA-5(1)(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.3.9",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Set Password Warning Age",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs",
+ "desc": "To specify how many days prior to password\nexpiration that a warning will be issued to users,\nedit the fileand add or correct\n the following line:The DoD requirement is 7.\nThe profile requirement is.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'login' 2>/dev/null | grep -q installed; then\n\nvar_accounts_password_warn_age_login_defs=''\n\n\ngrep -q ^PASS_WARN_AGE /etc/login.defs && \\\nsed -i \"s/PASS_WARN_AGE.*/PASS_WARN_AGE\\t$var_accounts_password_warn_age_login_defs/g\" /etc/login.defs\nif ! [ $? -eq 0 ]\nthen\n echo -e \"PASS_WARN_AGE\\t$var_accounts_password_warn_age_login_defs\" >> /etc/login.defs\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Setting the password warning age enables users to\nmake the change at a practical time.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set Password Warning Age\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/login.defs\",\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs\",\n \"use\": \"legacy\"\n }\n }\n ],\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs\",\n \"use\": \"legacy\"\n },\n \"text\": \"PASS_WARN_AGE\"\n },\n \"text\": \"To specify how many days prior to password\\nexpiration that a warning will be issued to users,\\nedit the fileand add or correct\\n the following line:The DoD requirement is 7.\\nThe profile requirement is.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.5.8\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0418\",\n \"href\": \"\"\n },\n {\n \"text\": \"1055\",\n \"href\": \"\"\n },\n {\n \"text\": \"1402\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"IA-5(f)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"IA-5(1)(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.3.9\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Setting the password warning age enables users to\\nmake the change at a practical time.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#login_defs\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'login' 2>/dev/null | grep -q installed; then\\n\\nvar_accounts_password_warn_age_login_defs=''\\n\\n\\ngrep -q ^PASS_WARN_AGE /etc/login.defs && \\\\\\nsed -i \\\"s/PASS_WARN_AGE.*/PASS_WARN_AGE\\\\t$var_accounts_password_warn_age_login_defs/g\\\" /etc/login.defs\\nif ! [ $? -eq 0 ]\\nthen\\n echo -e \\\"PASS_WARN_AGE\\\\t$var_accounts_password_warn_age_login_defs\\\" >> /etc/login.defs\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"accounts_password_warn_age_login_defs\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_password_warn_age_login_defs:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_password_warn_age_login_defs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_password_warn_age_login_defs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To specify how many days prior to password\nexpiration that a warning will be issued to users,\nedit the fileand add or correct\n the following line:The DoD requirement is 7.\nThe profile requirement is.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "IA-5 h.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "If any password hashes are stored in(in the second field,\ninstead of anor), the cause of this misconfiguration should be\ninvestigated. The account should have its password reset and the hash should be\nproperly stored, or the account should be deleted entirely.",
+ "group_id": "xccdf_org.ssgproject.content_group_password_storage",
+ "group_title": "Verify Proper Storage and Existence of Password\nHashes",
+ "group_description": "By default, password hashes for local accounts are stored\nin the second field (colon-separated) in. This file should be readable only by\nprocesses running with root credentials, preventing users from\ncasually accessing others' password hashes and attempting\nto crack them.\nHowever, it remains possible to misconfigure the system\nand store password hashes\nin world-readable files such as, or\nto even store passwords themselves in plaintext on the system.\nUsing system-provided tools for password change/creation\nshould allow administrators to avoid such misconfiguration.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_password_all_shadowed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_password_all_shadowed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.5.10",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "1410",
+ "href": ""
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "IA-5(h)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.2.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.5.10",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "1410"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "IA-5(h)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.2.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify All Account Password Hashes are Shadowed",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed",
+ "desc": "If any password hashes are stored in(in the second field,\ninstead of anor), the cause of this misconfiguration should be\ninvestigated. The account should have its password reset and the hash should be\nproperly stored, or the account should be deleted entirely.",
+ "descriptions": [
+ {
+ "data": "The hashes for all user account passwords should be stored in\nthe fileand never in,\nwhich is readable by all users.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify All Account Password Hashes are Shadowed\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/passwd\",\n \"x\",\n \"*\"\n ],\n \"text\": \"If any password hashes are stored in(in the second field,\\ninstead of anor), the cause of this misconfiguration should be\\ninvestigated. The account should have its password reset and the hash should be\\nproperly stored, or the account should be deleted entirely.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.5.10\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"1410\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"IA-5(h)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.2.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/etc/shadow\",\n \"/etc/passwd\"\n ],\n \"text\": \"The hashes for all user account passwords should be stored in\\nthe fileand never in,\\nwhich is readable by all users.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_password_all_shadowed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_password_all_shadowed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If any password hashes are stored in(in the second field,\ninstead of anor), the cause of this misconfiguration should be\ninvestigated. The account should have its password reset and the hash should be\nproperly stored, or the account should be deleted entirely.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000764"
+ ],
+ "nist": [
+ "IA-2",
+ "CM-6 a."
+ ],
+ "severity": "low",
+ "description": "Add a group to the system for each GID referenced without a corresponding group.",
+ "group_id": "xccdf_org.ssgproject.content_group_password_storage",
+ "group_title": "Verify Proper Storage and Existence of Password\nHashes",
+ "group_description": "By default, password hashes for local accounts are stored\nin the second field (colon-separated) in. This file should be readable only by\nprocesses running with root credentials, preventing users from\ncasually accessing others' password hashes and attempting\nto crack them.\nHowever, it remains possible to misconfigure the system\nand store password hashes\nin world-readable files such as, or\nto even store passwords themselves in plaintext on the system.\nUsing system-provided tools for password change/creation\nshould allow administrators to avoid such misconfiguration.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_gid_passwd_group_same",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-gid_passwd_group_same:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-gid_passwd_group_same_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000764",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "IA-2",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.5.a",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000104-GPOS-00051",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_gid_passwd_group_same",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000764",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "IA-2",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.5.a",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000104-GPOS-00051",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "All GIDs referenced in /etc/passwd must be defined in /etc/group",
+ "id": "xccdf_org.ssgproject.content_rule_gid_passwd_group_same",
+ "desc": "Add a group to the system for each GID referenced without a corresponding group.",
+ "descriptions": [
+ {
+ "data": "If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group\nwith the Group Identifier (GID) is subsequently created, the user may have unintended rights to\nany files associated with the group.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"All GIDs referenced in /etc/passwd must be defined in /etc/group\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"Add a group to the system for each GID referenced without a corresponding group.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000764\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"IA-2\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.5.a\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000104-GPOS-00051\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group\\nwith the Group Identifier (GID) is subsequently created, the user may have unintended rights to\\nany files associated with the group.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-gid_passwd_group_same:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-gid_passwd_group_same_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_gid_passwd_group_same\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Add a group to the system for each GID referenced without a corresponding group.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "IA-5 (1) a.",
+ "IA-5 c.",
+ "CM-6 a."
+ ],
+ "severity": "high",
+ "description": "If an account is configured for password authentication\nbut does not have an assigned password, it may be possible to log\ninto the account without authentication. Remove any instances of theinandto prevent logins with empty passwords.",
+ "group_id": "xccdf_org.ssgproject.content_group_password_storage",
+ "group_title": "Verify Proper Storage and Existence of Password\nHashes",
+ "group_description": "By default, password hashes for local accounts are stored\nin the second field (colon-separated) in. This file should be readable only by\nprocesses running with root credentials, preventing users from\ncasually accessing others' password hashes and attempting\nto crack them.\nHowever, it remains possible to misconfigure the system\nand store password hashes\nin world-readable files such as, or\nto even store passwords themselves in plaintext on the system.\nUsing system-provided tools for password change/creation\nshould allow administrators to avoid such misconfiguration.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_no_empty_passwords",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-no_empty_passwords:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_empty_passwords_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.1.5",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(B)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(7)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(7)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(c)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "IA-5(1)(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "IA-5(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FIA_UAU.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-8.2.3",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_no_empty_passwords",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.1.5",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(B)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(7)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(7)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(c)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "IA-5(1)(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "IA-5(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FIA_UAU.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-8.2.3",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Prevent Login to Accounts With Empty Password",
+ "id": "xccdf_org.ssgproject.content_rule_no_empty_passwords",
+ "desc": "If an account is configured for password authentication\nbut does not have an assigned password, it may be possible to log\ninto the account without authentication. Remove any instances of theinandto prevent logins with empty passwords.",
+ "descriptions": [
+ {
+ "data": "If an account has an empty password, anyone could log in and\nrun commands with the privileges of that account. Accounts with\nempty passwords should never be used in operational environments.",
+ "label": "rationale"
+ },
+ {
+ "data": "If the system relies ontool to manage PAM settings, the remediation\nwill also usetool. However, if any manual modification was made in\nPAM files, theintegrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report.\nNote that this rule is not applicable for systems running within a\ncontainer. Having user with empty password within a container is not\nconsidered a risk, because it should not be possible to directly login into\na container anyway.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Prevent Login to Accounts With Empty Password\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"nullok\",\n \"/etc/pam.d/system-auth\",\n \"/etc/pam.d/password-auth\"\n ],\n \"text\": \"If an account is configured for password authentication\\nbut does not have an assigned password, it may be possible to log\\ninto the account without authentication. Remove any instances of theinandto prevent logins with empty passwords.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"code\": [\n \"authselect\",\n \"authselect\",\n \"authselect\"\n ],\n \"text\": \"If the system relies ontool to manage PAM settings, the remediation\\nwill also usetool. However, if any manual modification was made in\\nPAM files, theintegrity check will fail and the remediation will be\\naborted in order to preserve intentional changes. In this case, an informative message will\\nbe shown in the remediation report.\\nNote that this rule is not applicable for systems running within a\\ncontainer. Having user with empty password within a container is not\\nconsidered a risk, because it should not be possible to directly login into\\na container anyway.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.1.5\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(B)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(7)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(7)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(c)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"IA-5(1)(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"IA-5(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FIA_UAU.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-8.2.3\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"If an account has an empty password, anyone could log in and\\nrun commands with the privileges of that account. Accounts with\\nempty passwords should never be used in operational environments.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-no_empty_passwords:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_empty_passwords_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_no_empty_passwords\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If an account is configured for password authentication\nbut does not have an assigned password, it may be possible to log\ninto the account without authentication. Remove any instances of theinandto prevent logins with empty passwords.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6 b.",
+ "CM-6 (1) iv."
+ ],
+ "severity": "high",
+ "description": "Check the \"/etc/shadow\" file for blank passwords with the\nfollowing command:If the command returns any results, this is a finding.\nConfigure all accounts on the system to have a password or lock\nthe account with the following commands:\nPerform a password reset:Lock an account:",
+ "group_id": "xccdf_org.ssgproject.content_group_password_storage",
+ "group_title": "Verify Proper Storage and Existence of Password\nHashes",
+ "group_description": "By default, password hashes for local accounts are stored\nin the second field (colon-separated) in. This file should be readable only by\nprocesses running with root credentials, preventing users from\ncasually accessing others' password hashes and attempting\nto crack them.\nHowever, it remains possible to misconfigure the system\nand store password hashes\nin world-readable files such as, or\nto even store passwords themselves in plaintext on the system.\nUsing system-provided tools for password change/creation\nshould allow administrators to avoid such misconfiguration.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-no_empty_passwords_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_empty_passwords_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CM-6(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6.1(iv)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CM-6(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6.1(iv)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure There Are No Accounts With Blank or Null Passwords",
+ "id": "xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow",
+ "desc": "Check the \"/etc/shadow\" file for blank passwords with the\nfollowing command:If the command returns any results, this is a finding.\nConfigure all accounts on the system to have a password or lock\nthe account with the following commands:\nPerform a password reset:Lock an account:",
+ "descriptions": [
+ {
+ "data": "If an account has an empty password, anyone could log in and\nrun commands with the privileges of that account. Accounts with\nempty passwords should never be used in operational environments.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure There Are No Accounts With Blank or Null Passwords\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n \"$ sudo awk -F: '!$2 {print $1}' /etc/shadow\",\n \"$ sudo passwd [username]\",\n \"$ sudo passwd -l [username]\"\n ],\n \"text\": \"Check the \\\"/etc/shadow\\\" file for blank passwords with the\\nfollowing command:If the command returns any results, this is a finding.\\nConfigure all accounts on the system to have a password or lock\\nthe account with the following commands:\\nPerform a password reset:Lock an account:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CM-6(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6.1(iv)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"If an account has an empty password, anyone could log in and\\nrun commands with the privileges of that account. Accounts with\\nempty passwords should never be used in operational environments.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nreadarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow)\\n\\nfor user_with_empty_pass in \\\"${users_with_empty_pass[@]}\\\"\\ndo\\n passwd -l $user_with_empty_pass\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"no_empty_passwords_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Collect users with no password\\n command: |\\n awk -F: '!$2 {print $1}' /etc/shadow\\n register: users_nopasswd\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(b)\\n - NIST-800-53-CM-6.1(iv)\\n - high_severity\\n - low_complexity\\n - low_disruption\\n - no_empty_passwords_etc_shadow\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Lock users with no password\\n command: |\\n passwd -l {{ item }}\\n with_items: '{{ users_nopasswd.stdout_lines }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - users_nopasswd.stdout_lines | length > 0\\n tags:\\n - NIST-800-53-CM-6(b)\\n - NIST-800-53-CM-6.1(iv)\\n - high_severity\\n - low_complexity\\n - low_disruption\\n - no_empty_passwords_etc_shadow\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"no_empty_passwords_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-no_empty_passwords_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_empty_passwords_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Check the \"/etc/shadow\" file for blank passwords with the\nfollowing command:If the command returns any results, this is a finding.\nConfigure all accounts on the system to have a password or lock\nthe account with the following commands:\nPerform a password reset:Lock an account:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000196"
+ ],
+ "nist": [
+ "IA-5 (1) (c)",
+ "IA-5 h.",
+ "IA-5 (1) c.",
+ "CM-6 a.",
+ "IA-5 (7)"
+ ],
+ "severity": "medium",
+ "description": "Thefiles contain login information\nused to auto-login into FTP servers and reside in the user's home\ndirectory. These files may contain unencrypted passwords to\nremote FTP servers making them susceptible to access by unauthorized\nusers and should not be used. Anyfiles should be removed.",
+ "group_id": "xccdf_org.ssgproject.content_group_password_storage",
+ "group_title": "Verify Proper Storage and Existence of Password\nHashes",
+ "group_description": "By default, password hashes for local accounts are stored\nin the second field (colon-separated) in. This file should be readable only by\nprocesses running with root credentials, preventing users from\ncasually accessing others' password hashes and attempting\nto crack them.\nHowever, it remains possible to misconfigure the system\nand store password hashes\nin world-readable files such as, or\nto even store passwords themselves in plaintext on the system.\nUsing system-provided tools for password change/creation\nshould allow administrators to avoid such misconfiguration.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_no_netrc_files",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-no_netrc_files:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_netrc_files_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000196",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R1.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "IA-5(h)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "IA-5(1)(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "IA-5(7)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_no_netrc_files",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000196",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R1.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "IA-5(h)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "IA-5(1)(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "IA-5(7)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify No netrc Files Exist",
+ "id": "xccdf_org.ssgproject.content_rule_no_netrc_files",
+ "desc": "Thefiles contain login information\nused to auto-login into FTP servers and reside in the user's home\ndirectory. These files may contain unencrypted passwords to\nremote FTP servers making them susceptible to access by unauthorized\nusers and should not be used. Anyfiles should be removed.",
+ "descriptions": [
+ {
+ "data": "Unencrypted passwords for remote FTP servers may be stored infiles.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify No netrc Files Exist\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \".netrc\",\n \".netrc\"\n ],\n \"text\": \"Thefiles contain login information\\nused to auto-login into FTP servers and reside in the user's home\\ndirectory. These files may contain unencrypted passwords to\\nremote FTP servers making them susceptible to access by unauthorized\\nusers and should not be used. Anyfiles should be removed.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000196\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R1.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"IA-5(h)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"IA-5(1)(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"IA-5(7)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": \".netrc\",\n \"text\": \"Unencrypted passwords for remote FTP servers may be stored infiles.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-no_netrc_files:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_netrc_files_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_no_netrc_files\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Thefiles contain login information\nused to auto-login into FTP servers and reside in the user's home\ndirectory. These files may contain unencrypted passwords to\nremote FTP servers making them susceptible to access by unauthorized\nusers and should not be used. Anyfiles should be removed.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "IA-2",
+ "AC-6 (5)",
+ "IA-4 b."
+ ],
+ "severity": "high",
+ "description": "If any account other than root has a UID of 0, this misconfiguration should\nbe investigated and the accounts other than root should be removed or have\ntheir UID changed.If the account is associated with system commands or applications the UID\nshould be changed to one greater than \"0\" but less than \"1000.\"\nOtherwise assign a UID greater than \"1000\" that has not already been\nassigned.",
+ "group_id": "xccdf_org.ssgproject.content_group_root_logins",
+ "group_title": "Restrict Root Logins",
+ "group_description": "Direct root logins should be allowed only for emergency use.\nIn normal situations, the administrator should access the system\nvia a unique unprivileged account, and then useorto execute\nprivileged commands. Discouraging administrators from accessing the\nroot account directly ensures an audit trail in organizations with\nmultiple administrators. Locking down the channels through which\nroot can connect directly also reduces opportunities for\npassword-guessing against the root account. Theprogram\nuses the fileto determine which interfaces\nshould allow root logins.\n\nThe virtual devicesandrepresent the system consoles (accessible via\nthe Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default\ninstallation). The default securetty file also contains.\nThese are likely to be deprecated in most environments, but may be retained\nfor compatibility. Root should also be prohibited from connecting\nvia network protocols. Other sections of this document\ninclude guidance describing how to prevent root from logging in via SSH.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_no_uid_except_zero:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "accounts_no_uid_except_zero",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.1.5",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "IA-2",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(5)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "IA-4(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.2.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.1.5",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "IA-2",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(5)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "IA-4(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.2.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Only Root Has UID 0",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero",
+ "desc": "If any account other than root has a UID of 0, this misconfiguration should\nbe investigated and the accounts other than root should be removed or have\ntheir UID changed.If the account is associated with system commands or applications the UID\nshould be changed to one greater than \"0\" but less than \"1000.\"\nOtherwise assign a UID greater than \"1000\" that has not already been\nassigned.",
+ "descriptions": [
+ {
+ "data": "awk -F: '$3 == 0 && $1 != \"root\" { print $1 }' /etc/passwd | xargs --no-run-if-empty --max-lines=1 passwd -l",
+ "label": "fix"
+ },
+ {
+ "data": "An account has root authority if it has a UID of 0. Multiple accounts\nwith a UID of 0 afford more opportunity for potential intruders to\nguess a password for a privileged account. Proper configuration of\nsudo is recommended to afford multiple system administrators\naccess to root privileges in an accountable manner.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Only Root Has UID 0\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": \"\",\n \"text\": \"If any account other than root has a UID of 0, this misconfiguration should\\nbe investigated and the accounts other than root should be removed or have\\ntheir UID changed.If the account is associated with system commands or applications the UID\\nshould be changed to one greater than \\\"0\\\" but less than \\\"1000.\\\"\\nOtherwise assign a UID greater than \\\"1000\\\" that has not already been\\nassigned.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.1.5\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"IA-2\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(5)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"IA-4(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.2.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"An account has root authority if it has a UID of 0. Multiple accounts\\nwith a UID of 0 afford more opportunity for potential intruders to\\nguess a password for a privileged account. Proper configuration of\\nsudo is recommended to afford multiple system administrators\\naccess to root privileges in an accountable manner.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"awk -F: '$3 == 0 && $1 != \\\"root\\\" { print $1 }' /etc/passwd | xargs --no-run-if-empty --max-lines=1 passwd -l\",\n \"id\": \"accounts_no_uid_except_zero\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_no_uid_except_zero:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If any account other than root has a UID of 0, this misconfiguration should\nbe investigated and the accounts other than root should be removed or have\ntheir UID changed.If the account is associated with system commands or applications the UID\nshould be changed to one greater than \"0\" but less than \"1000.\"\nOtherwise assign a UID greater than \"1000\" that has not already been\nassigned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "high",
+ "description": "Theuser should have a primary group of 0.",
+ "group_id": "xccdf_org.ssgproject.content_group_root_logins",
+ "group_title": "Restrict Root Logins",
+ "group_description": "Direct root logins should be allowed only for emergency use.\nIn normal situations, the administrator should access the system\nvia a unique unprivileged account, and then useorto execute\nprivileged commands. Discouraging administrators from accessing the\nroot account directly ensures an audit trail in organizations with\nmultiple administrators. Locking down the channels through which\nroot can connect directly also reduces opportunities for\npassword-guessing against the root account. Theprogram\nuses the fileto determine which interfaces\nshould allow root logins.\n\nThe virtual devicesandrepresent the system consoles (accessible via\nthe Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default\ninstallation). The default securetty file also contains.\nThese are likely to be deprecated in most environments, but may be retained\nfor compatibility. Root should also be prohibited from connecting\nvia network protocols. Other sections of this document\ninclude guidance describing how to prevent root from logging in via SSH.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_root_gid_zero",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_root_gid_zero:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_root_gid_zero_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "Req-8.2.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_root_gid_zero",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "ref": [
+ {
+ "text": "Req-8.2.1"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Root Has A Primary GID 0",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_root_gid_zero",
+ "desc": "Theuser should have a primary group of 0.",
+ "descriptions": [
+ {
+ "data": "To help ensure that root-owned files are not inadvertently exposed to other users.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Root Has A Primary GID 0\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"root\",\n \"text\": \"Theuser should have a primary group of 0.\",\n \"lang\": \"en-US\"\n },\n \"reference\": {\n \"text\": \"Req-8.2.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n \"rationale\": {\n \"text\": \"To help ensure that root-owned files are not inadvertently exposed to other users.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_root_gid_zero:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_root_gid_zero_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_root_gid_zero\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theuser should have a primary group of 0.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "IA-2",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To further limit access to theaccount, administrators\ncan disable root logins at the console by editing thefile.\nThis file lists all devices the root user is allowed to login to. If the file does\nnot exist at all, the root user can login through any communication device on the\nsystem, whether via the console or via a raw network interface. This is dangerous\nas user can login to the system as root via Telnet, which sends the password in\nplain text over the network. By default, Ubuntu 18.04'sfile only allows the root user to login at the console\nphysically attached to the system. To prevent root from logging in, remove the\ncontents of this file. To prevent direct root logins, remove the contents of this\nfile by typing the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_root_logins",
+ "group_title": "Restrict Root Logins",
+ "group_description": "Direct root logins should be allowed only for emergency use.\nIn normal situations, the administrator should access the system\nvia a unique unprivileged account, and then useorto execute\nprivileged commands. Discouraging administrators from accessing the\nroot account directly ensures an audit trail in organizations with\nmultiple administrators. Locking down the channels through which\nroot can connect directly also reduces opportunities for\npassword-guessing against the root account. Theprogram\nuses the fileto determine which interfaces\nshould allow root logins.\n\nThe virtual devicesandrepresent the system consoles (accessible via\nthe Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default\ninstallation). The default securetty file also contains.\nThese are likely to be deprecated in most environments, but may be retained\nfor compatibility. Root should also be prohibited from connecting\nvia network protocols. Other sections of this document\ninclude guidance describing how to prevent root from logging in via SSH.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_no_direct_root_logins",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-no_direct_root_logins:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_direct_root_logins_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R19)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.1.6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(B)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(7)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(7)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(c)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "IA-2",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.6.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_no_direct_root_logins",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R19)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.1.6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(B)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(7)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(7)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(c)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "IA-2",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.6.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Direct root Logins Not Allowed",
+ "id": "xccdf_org.ssgproject.content_rule_no_direct_root_logins",
+ "desc": "To further limit access to theaccount, administrators\ncan disable root logins at the console by editing thefile.\nThis file lists all devices the root user is allowed to login to. If the file does\nnot exist at all, the root user can login through any communication device on the\nsystem, whether via the console or via a raw network interface. This is dangerous\nas user can login to the system as root via Telnet, which sends the password in\nplain text over the network. By default, Ubuntu 18.04'sfile only allows the root user to login at the console\nphysically attached to the system. To prevent root from logging in, remove the\ncontents of this file. To prevent direct root logins, remove the contents of this\nfile by typing the following command:",
+ "descriptions": [
+ {
+ "data": "Disabling direct root logins ensures proper accountability and multifactor\nauthentication to privileged accounts. Users will first login, then escalate\nto privileged (root) access via su / sudo. This is required for FISMA Low\nand FISMA Moderate systems.",
+ "label": "rationale"
+ },
+ {
+ "data": "This rule only checks thefile existence and its content.\nIf you need to restrict user access using thefile, make sure\nthePAM module is properly enabled in relevant PAM files.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Direct root Logins Not Allowed\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"root\",\n \"/etc/securetty\",\n \"/etc/securetty\"\n ],\n \"pre\": \"$ sudo echo > /etc/securetty\",\n \"text\": \"To further limit access to theaccount, administrators\\ncan disable root logins at the console by editing thefile.\\nThis file lists all devices the root user is allowed to login to. If the file does\\nnot exist at all, the root user can login through any communication device on the\\nsystem, whether via the console or via a raw network interface. This is dangerous\\nas user can login to the system as root via Telnet, which sends the password in\\nplain text over the network. By default, Ubuntu 18.04'sfile only allows the root user to login at the console\\nphysically attached to the system. To prevent root from logging in, remove the\\ncontents of this file. To prevent direct root logins, remove the contents of this\\nfile by typing the following command:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"code\": [\n \"/etc/securetty\",\n \"/etc/securetty\",\n \"pam_securetty.so\"\n ],\n \"text\": \"This rule only checks thefile existence and its content.\\nIf you need to restrict user access using thefile, make sure\\nthePAM module is properly enabled in relevant PAM files.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R19)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.1.6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(B)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(7)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(7)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(c)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"IA-2\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.6.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Disabling direct root logins ensures proper accountability and multifactor\\nauthentication to privileged accounts. Users will first login, then escalate\\nto privileged (root) access via su / sudo. This is required for FISMA Low\\nand FISMA Moderate systems.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\necho > /etc/securetty\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"no_direct_root_logins\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Direct root Logins Not Allowed\\n copy:\\n dest: /etc/securetty\\n content: ''\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.1\\n - NIST-800-171-3.1.6\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-IA-2\\n - PCI-DSS-Req-8.6.1\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_direct_root_logins\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"no_direct_root_logins\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-no_direct_root_logins:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_direct_root_logins_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_no_direct_root_logins\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To further limit access to theaccount, administrators\ncan disable root logins at the console by editing thefile.\nThis file lists all devices the root user is allowed to login to. If the file does\nnot exist at all, the root user can login through any communication device on the\nsystem, whether via the console or via a raw network interface. This is dangerous\nas user can login to the system as root via Telnet, which sends the password in\nplain text over the network. By default, Ubuntu 18.04'sfile only allows the root user to login at the console\nphysically attached to the system. To prevent root from logging in, remove the\ncontents of this file. To prevent direct root logins, remove the contents of this\nfile by typing the following command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "AC-6",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Some accounts are not associated with a human user of the system, and exist to\nperform some administrative function. An attacker should not be able to log into\nthese accounts.System accounts are those user accounts with a user ID\nless than UID_MIN, where value of the UID_MIN directive is set inconfiguration file. In the default configuration UID_MIN is set\nto 500, thus system accounts are those user accounts with a user ID less than\n500. If any system account(other than root) has an unlocked password,\ndisable it with the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_root_logins",
+ "group_title": "Restrict Root Logins",
+ "group_description": "Direct root logins should be allowed only for emergency use.\nIn normal situations, the administrator should access the system\nvia a unique unprivileged account, and then useorto execute\nprivileged commands. Discouraging administrators from accessing the\nroot account directly ensures an audit trail in organizations with\nmultiple administrators. Locking down the channels through which\nroot can connect directly also reduces opportunities for\npassword-guessing against the root account. Theprogram\nuses the fileto determine which interfaces\nshould allow root logins.\n\nThe virtual devicesandrepresent the system consoles (accessible via\nthe Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default\ninstallation). The default securetty file also contains.\nThese are likely to be deprecated in most environments, but may be retained\nfor compatibility. Root should also be prohibited from connecting\nvia network protocols. Other sections of this document\ninclude guidance describing how to prevent root from logging in via SSH.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_no_password_auth_for_systemaccounts",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_password_auth_for_systemaccounts_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_no_password_auth_for_systemaccounts",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure that System Accounts Are Locked",
+ "id": "xccdf_org.ssgproject.content_rule_no_password_auth_for_systemaccounts",
+ "desc": "Some accounts are not associated with a human user of the system, and exist to\nperform some administrative function. An attacker should not be able to log into\nthese accounts.System accounts are those user accounts with a user ID\nless than UID_MIN, where value of the UID_MIN directive is set inconfiguration file. In the default configuration UID_MIN is set\nto 500, thus system accounts are those user accounts with a user ID less than\n500. If any system account(other than root) has an unlocked password,\ndisable it with the command:",
+ "descriptions": [
+ {
+ "data": "ocil:ssg-no_password_auth_for_systemaccounts_ocil:questionnaire:1",
+ "label": "check"
+ },
+ {
+ "data": "Disabling authentication for default system accounts makes it more difficult\nfor attackers to make use of them to compromise a system.false",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure that System Accounts Are Locked\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"code\": \"/etc/login.defs\",\n \"i\": \"SYSACCT\",\n \"pre\": {\n \"i\": \"SYSACCT\",\n \"text\": \"$ sudo passwd -l\"\n },\n \"text\": \"Some accounts are not associated with a human user of the system, and exist to\\nperform some administrative function. An attacker should not be able to log into\\nthese accounts.System accounts are those user accounts with a user ID\\nless than UID_MIN, where value of the UID_MIN directive is set inconfiguration file. In the default configuration UID_MIN is set\\nto 500, thus system accounts are those user accounts with a user ID less than\\n500. If any system account(other than root) has an unlocked password,\\ndisable it with the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Disabling authentication for default system accounts makes it more difficult\\nfor attackers to make use of them to compromise a system.false\",\n \"lang\": \"en-US\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_password_auth_for_systemaccounts_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_no_password_auth_for_systemaccounts\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Some accounts are not associated with a human user of the system, and exist to\nperform some administrative function. An attacker should not be able to log into\nthese accounts.System accounts are those user accounts with a user ID\nless than UID_MIN, where value of the UID_MIN directive is set inconfiguration file. In the default configuration UID_MIN is set\nto 500, thus system accounts are those user accounts with a user ID less than\n500. If any system account(other than root) has an unlocked password,\ndisable it with the command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000770"
+ ],
+ "nist": [
+ "IA-2 (5)",
+ "AC-6",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To restrict root logins on serial ports,\nensure lines of this form do not appear in:",
+ "group_id": "xccdf_org.ssgproject.content_group_root_logins",
+ "group_title": "Restrict Root Logins",
+ "group_description": "Direct root logins should be allowed only for emergency use.\nIn normal situations, the administrator should access the system\nvia a unique unprivileged account, and then useorto execute\nprivileged commands. Discouraging administrators from accessing the\nroot account directly ensures an audit trail in organizations with\nmultiple administrators. Locking down the channels through which\nroot can connect directly also reduces opportunities for\npassword-guessing against the root account. Theprogram\nuses the fileto determine which interfaces\nshould allow root logins.\n\nThe virtual devicesandrepresent the system consoles (accessible via\nthe Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default\ninstallation). The default securetty file also contains.\nThese are likely to be deprecated in most environments, but may be retained\nfor compatibility. Root should also be prohibited from connecting\nvia network protocols. Other sections of this document\ninclude guidance describing how to prevent root from logging in via SSH.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_restrict_serial_port_logins",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-restrict_serial_port_logins:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-restrict_serial_port_logins_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "restrict_serial_port_logins",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.1.5",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000770",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(B)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(7)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(7)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(c)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_restrict_serial_port_logins",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.1.5",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000770",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(B)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(7)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(7)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(c)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Restrict Serial Port Root Logins",
+ "id": "xccdf_org.ssgproject.content_rule_restrict_serial_port_logins",
+ "desc": "To restrict root logins on serial ports,\nensure lines of this form do not appear in:",
+ "descriptions": [
+ {
+ "data": "sed -i '/ttyS/d' /etc/securetty",
+ "label": "fix"
+ },
+ {
+ "data": "Preventing direct root login to serial port interfaces\nhelps ensure accountability for actions taken on the systems\nusing the root account.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Restrict Serial Port Root Logins\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/securetty\",\n \"pre\": \"ttyS0\\nttyS1\",\n \"text\": \"To restrict root logins on serial ports,\\nensure lines of this form do not appear in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.1.5\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000770\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(B)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(7)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(7)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(c)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Preventing direct root login to serial port interfaces\\nhelps ensure accountability for actions taken on the systems\\nusing the root account.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"sed -i '/ttyS/d' /etc/securetty\",\n \"id\": \"restrict_serial_port_logins\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-restrict_serial_port_logins:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-restrict_serial_port_logins_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_restrict_serial_port_logins\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To restrict root logins on serial ports,\nensure lines of this form do not appear in:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000770"
+ ],
+ "nist": [
+ "IA-2 (5)",
+ "AC-6",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To restrict root logins through the (deprecated) virtual console devices,\nensure lines of this form do not appear in:",
+ "group_id": "xccdf_org.ssgproject.content_group_root_logins",
+ "group_title": "Restrict Root Logins",
+ "group_description": "Direct root logins should be allowed only for emergency use.\nIn normal situations, the administrator should access the system\nvia a unique unprivileged account, and then useorto execute\nprivileged commands. Discouraging administrators from accessing the\nroot account directly ensures an audit trail in organizations with\nmultiple administrators. Locking down the channels through which\nroot can connect directly also reduces opportunities for\npassword-guessing against the root account. Theprogram\nuses the fileto determine which interfaces\nshould allow root logins.\n\nThe virtual devicesandrepresent the system consoles (accessible via\nthe Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default\ninstallation). The default securetty file also contains.\nThese are likely to be deprecated in most environments, but may be retained\nfor compatibility. Root should also be prohibited from connecting\nvia network protocols. Other sections of this document\ninclude guidance describing how to prevent root from logging in via SSH.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_securetty_root_login_console_only",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-securetty_root_login_console_only:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-securetty_root_login_console_only_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "securetty_root_login_console_only",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.1.5",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000770",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(B)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(7)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(7)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(c)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.6.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000324-GPOS-00125",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_securetty_root_login_console_only",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.1.5",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000770",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(B)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(7)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(7)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(c)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.6.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000324-GPOS-00125",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Restrict Virtual Console Root Logins",
+ "id": "xccdf_org.ssgproject.content_rule_securetty_root_login_console_only",
+ "desc": "To restrict root logins through the (deprecated) virtual console devices,\nensure lines of this form do not appear in:",
+ "descriptions": [
+ {
+ "data": "sed -i '/^vc\\//d' /etc/securetty",
+ "label": "fix"
+ },
+ {
+ "data": "Preventing direct root login to virtual console devices\nhelps ensure accountability for actions taken on the system\nusing the root account.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Restrict Virtual Console Root Logins\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/securetty\",\n \"pre\": \"vc/1\\nvc/2\\nvc/3\\nvc/4\",\n \"text\": \"To restrict root logins through the (deprecated) virtual console devices,\\nensure lines of this form do not appear in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.1.5\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000770\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(B)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(7)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(7)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(c)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.6.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000324-GPOS-00125\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Preventing direct root login to virtual console devices\\nhelps ensure accountability for actions taken on the system\\nusing the root account.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"sed -i '/^vc\\\\//d' /etc/securetty\",\n \"id\": \"securetty_root_login_console_only\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-securetty_root_login_console_only:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-securetty_root_login_console_only_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_securetty_root_login_console_only\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To restrict root logins through the (deprecated) virtual console devices,\nensure lines of this form do not appear in:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "For each element in root's path, run:and ensure that write permissions are disabled for group and\nother.",
+ "group_id": "xccdf_org.ssgproject.content_group_root_paths",
+ "group_title": "Ensure that No Dangerous Directories Exist in Root's Path",
+ "group_description": "The active path of the root account can be obtained by\nstarting a new root shell and running:This will produce a colon-separated list of\ndirectories in the path.Certain path elements could be considered dangerous, as they could lead\nto root executing unknown or\nuntrusted programs, which could contain malicious\ncode.\nSince root may sometimes work inside\nuntrusted directories, thecharacter, which represents the\ncurrent directory, should never be in the root path, nor should any\ndirectory which can be written to by an unprivileged or\nsemi-privileged (system) user.It is a good practice for administrators to always execute\nprivileged commands by typing the full path to the\ncommand.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_root_path_dirs_no_write:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_root_path_dirs_no_write_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure that Root's Path Does Not Include World or Group-Writable Directories",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write",
+ "desc": "For each element in root's path, run:and ensure that write permissions are disabled for group and\nother.",
+ "descriptions": [
+ {
+ "data": "Such entries increase the risk that root could\nexecute code provided by unprivileged users,\nand potentially malicious code.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure that Root's Path Does Not Include World or Group-Writable Directories\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": {\n \"i\": \"DIR\",\n \"text\": \"# ls -ld\"\n },\n \"text\": \"For each element in root's path, run:and ensure that write permissions are disabled for group and\\nother.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Such entries increase the risk that root could\\nexecute code provided by unprivileged users,\\nand potentially malicious code.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_root_path_dirs_no_write:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_root_path_dirs_no_write_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "For each element in root's path, run:and ensure that write permissions are disabled for group and\nother.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6 a."
+ ],
+ "severity": "unknown",
+ "description": "Ensure that none of the directories in root's path is equal to a singlecharacter, or\nthat it contains any instances that lead to relative path traversal, such asor beginning a path without the slash () character.\nAlso ensure that there are no \"empty\" elements in the path, such as in these examples:These empty elements have the same effect as a singlecharacter.",
+ "group_id": "xccdf_org.ssgproject.content_group_root_paths",
+ "group_title": "Ensure that No Dangerous Directories Exist in Root's Path",
+ "group_description": "The active path of the root account can be obtained by\nstarting a new root shell and running:This will produce a colon-separated list of\ndirectories in the path.Certain path elements could be considered dangerous, as they could lead\nto root executing unknown or\nuntrusted programs, which could contain malicious\ncode.\nSince root may sometimes work inside\nuntrusted directories, thecharacter, which represents the\ncurrent directory, should never be in the root path, nor should any\ndirectory which can be written to by an unprivileged or\nsemi-privileged (system) user.It is a good practice for administrators to always execute\nprivileged commands by typing the full path to the\ncommand.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_root_path_no_dot",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-root_path_no_dot:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_root_path_no_dot",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure that Root's Path Does Not Include Relative Paths or Null Directories",
+ "id": "xccdf_org.ssgproject.content_rule_root_path_no_dot",
+ "desc": "Ensure that none of the directories in root's path is equal to a singlecharacter, or\nthat it contains any instances that lead to relative path traversal, such asor beginning a path without the slash () character.\nAlso ensure that there are no \"empty\" elements in the path, such as in these examples:These empty elements have the same effect as a singlecharacter.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-root_path_no_dot:def:1",
+ "label": "check"
+ },
+ {
+ "data": "Including these entries increases the risk that root could\nexecute code from an untrusted location.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure that Root's Path Does Not Include Relative Paths or Null Directories\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \".\",\n \"..\",\n \"/\",\n \".\"\n ],\n \"pre\": \"PATH=:/bin\\nPATH=/bin:\\nPATH=/bin::/sbin\",\n \"text\": \"Ensure that none of the directories in root's path is equal to a singlecharacter, or\\nthat it contains any instances that lead to relative path traversal, such asor beginning a path without the slash () character.\\nAlso ensure that there are no \\\"empty\\\" elements in the path, such as in these examples:These empty elements have the same effect as a singlecharacter.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Including these entries increases the risk that root could\\nexecute code from an untrusted location.\",\n \"lang\": \"en-US\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-root_path_no_dot:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_root_path_no_dot\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Ensure that none of the directories in root's path is equal to a singlecharacter, or\nthat it contains any instances that lead to relative path traversal, such asor beginning a path without the slash () character.\nAlso ensure that there are no \"empty\" elements in the path, such as in these examples:These empty elements have the same effect as a singlecharacter.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AC-6 (1)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To ensure the default umask controlled byis set properly,\nadd or correct thesetting into read as follows:",
+ "group_id": "xccdf_org.ssgproject.content_group_user_umask",
+ "group_title": "Ensure that Users Have Sensible Umask Values",
+ "group_description": "The umask setting controls the default permissions\nfor the creation of new files.\nWith a defaultsetting of 077, files and directories\ncreated by users will not be readable by any other user on the\nsystem. Users who wish to make specific files group- or\nworld-readable can accomplish this by using the chmod command.\nAdditionally, users can make all their files readable to their\ngroup by default by setting aof 027 in their shell\nconfiguration files. If default per-user groups exist (that is, if\nevery user has a default group whose name is the same as that\nuser's username and whose only member is the user), then it may\neven be safe for users to select aof 007, making it very\neasy to intentionally share files with groups of which the user is\na member.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_user_umask:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_user_umask\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_umask_etc_login_defs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_umask_etc_login_defs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "accounts_umask_etc_login_defs",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R35)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.6.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00228",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Sensible umask",
+ "lang": "en-US"
+ },
+ "description": "Enter default user umask",
+ "value": [
+ {
+ "text": "007",
+ "selector": "007"
+ },
+ {
+ "text": "022",
+ "selector": "022"
+ },
+ {
+ "text": "027",
+ "selector": "027"
+ },
+ {
+ "text": "077",
+ "selector": "077"
+ },
+ "027"
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_accounts_user_umask",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "BP28(R35)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.6.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00228",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure the Default Umask is Set Correctly in login.defs",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs",
+ "desc": "To ensure the default umask controlled byis set properly,\nadd or correct thesetting into read as follows:",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'login' 2>/dev/null | grep -q installed; then\n\nvar_accounts_user_umask=''\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/login.defs\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^UMASK\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s %s\" \"$stripped_key\" \"$var_accounts_user_umask\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^UMASK\\\\>\" \"/etc/login.defs\"; then\n escaped_formatted_output=$(sed -e 's|/|\\\\/|g' <<< \"$formatted_output\")\n \"${sed_command[@]}\" \"s/^UMASK\\\\>.*/$escaped_formatted_output/gi\" \"/etc/login.defs\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n \n printf '%s\\n' \"$formatted_output\" >> \"/etc/login.defs\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "The umask value influences the permissions assigned to files when they are created.\nA misconfigured umask value could result in files with excessive permissions that can be read and\nwritten to by unauthorized users.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure the Default Umask is Set Correctly in login.defs\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/login.defs\",\n \"UMASK\",\n \"/etc/login.defs\"\n ],\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_user_umask\",\n \"use\": \"legacy\"\n },\n \"text\": \"UMASK\"\n },\n \"text\": \"To ensure the default umask controlled byis set properly,\\nadd or correct thesetting into read as follows:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R35)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.6.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00228\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"The umask value influences the permissions assigned to files when they are created.\\nA misconfigured umask value could result in files with excessive permissions that can be read and\\nwritten to by unauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#login_defs\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_user_umask\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'login' 2>/dev/null | grep -q installed; then\\n\\nvar_accounts_user_umask=''\\n\\n\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/login.defs\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^UMASK\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s %s\\\" \\\"$stripped_key\\\" \\\"$var_accounts_user_umask\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^UMASK\\\\\\\\>\\\" \\\"/etc/login.defs\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^UMASK\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/login.defs\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/login.defs\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"accounts_umask_etc_login_defs\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_user_umask:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_user_umask\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_umask_etc_login_defs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_umask_etc_login_defs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To ensure the default umask controlled byis set properly,\nadd or correct thesetting into read as follows:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AC-6 (1)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To ensure the default umask controlled byis set properly,\nadd or correct thesetting into read as follows:",
+ "group_id": "xccdf_org.ssgproject.content_group_user_umask",
+ "group_title": "Ensure that Users Have Sensible Umask Values",
+ "group_description": "The umask setting controls the default permissions\nfor the creation of new files.\nWith a defaultsetting of 077, files and directories\ncreated by users will not be readable by any other user on the\nsystem. Users who wish to make specific files group- or\nworld-readable can accomplish this by using the chmod command.\nAdditionally, users can make all their files readable to their\ngroup by default by setting aof 027 in their shell\nconfiguration files. If default per-user groups exist (that is, if\nevery user has a default group whose name is the same as that\nuser's username and whose only member is the user), then it may\neven be safe for users to select aof 007, making it very\neasy to intentionally share files with groups of which the user is\na member.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_user_umask:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_user_umask\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_umask_etc_profile:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_umask_etc_profile_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R35)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "A.14.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.6.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00228",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Sensible umask",
+ "lang": "en-US"
+ },
+ "description": "Enter default user umask",
+ "value": [
+ {
+ "text": "007",
+ "selector": "007"
+ },
+ {
+ "text": "022",
+ "selector": "022"
+ },
+ {
+ "text": "027",
+ "selector": "027"
+ },
+ {
+ "text": "077",
+ "selector": "077"
+ },
+ "027"
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_accounts_user_umask",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "BP28(R35)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "A.14.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.6.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00228",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure the Default Umask is Set Correctly in /etc/profile",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile",
+ "desc": "To ensure the default umask controlled byis set properly,\nadd or correct thesetting into read as follows:",
+ "descriptions": [
+ {
+ "data": "The umask value influences the permissions assigned to files when they are created.\nA misconfigured umask value could result in files with excessive permissions that can be read or\nwritten to by unauthorized users.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure the Default Umask is Set Correctly in /etc/profile\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/profile\",\n \"umask\",\n \"/etc/profile\"\n ],\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_user_umask\",\n \"use\": \"legacy\"\n },\n \"text\": \"umask\"\n },\n \"text\": \"To ensure the default umask controlled byis set properly,\\nadd or correct thesetting into read as follows:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R35)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"A.14.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.6.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00228\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"The umask value influences the permissions assigned to files when they are created.\\nA misconfigured umask value could result in files with excessive permissions that can be read or\\nwritten to by unauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_user_umask\",\n \"use\": \"legacy\"\n },\n \"text\": \"var_accounts_user_umask=''\\n\\n\\ngrep -qE '^[^#]*umask' /etc/profile && \\\\\\n sed -i \\\"s/umask.*/umask $var_accounts_user_umask/g\\\" /etc/profile\\nif ! [ $? -eq 0 ]; then\\n echo \\\"umask $var_accounts_user_umask\\\" >> /etc/profile\\nfi\",\n \"id\": \"accounts_umask_etc_profile\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_user_umask\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: XCCDF Value var_accounts_user_umask # promote to variable\\n set_fact:\\n var_accounts_user_umask: !!strtags:\\n - always\\n\\n- name: Check if umask is already set\\n ansible.builtin.lineinfile:\\n path: /etc/profile\\n regexp: (^[\\\\s]*umask)\\\\s+(\\\\d+)\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: result_umask_is_set\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.6.1\\n - accounts_umask_etc_profile\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Replace user umask in /etc/profile\\n ansible.builtin.replace:\\n path: /etc/profile\\n regexp: ^(\\\\s*)umask\\\\s+\\\\d+\\n replace: \\\\1umask {{ var_accounts_user_umask }}\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.6.1\\n - accounts_umask_etc_profile\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Append user umask in /etc/profile\\n ansible.builtin.lineinfile:\\n create: true\\n path: /etc/profile\\n line: umask {{ var_accounts_user_umask }}\\n when: result_umask_is_set.found == 0\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.6.1\\n - accounts_umask_etc_profile\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"accounts_umask_etc_profile\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_user_umask:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_user_umask\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_umask_etc_profile:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_umask_etc_profile_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To ensure the default umask controlled byis set properly,\nadd or correct thesetting into read as follows:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AC-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To ensure the logon failure delay controlled byis set properly,\nadd or correct thesetting into read as follows:",
+ "group_id": "xccdf_org.ssgproject.content_group_accounts-session",
+ "group_title": "Secure Session Configuration Files for Login Accounts",
+ "group_description": "When a user logs into a Unix account, the system\nconfigures the user's session by reading a number of files. Many of\nthese files are located in the user's home directory, and may have\nweak permissions as a result of user error or misconfiguration. If\nan attacker can modify or even read certain types of account\nconfiguration information, they can often gain full access to the\naffected user's account. Therefore, it is important to test and\ncorrect configuration file permissions for interactive accounts,\nparticularly those of privileged users such as root or system\nadministrators.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_fail_delay:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_fail_delay\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_logon_fail_delay:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_logon_fail_delay_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00226",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Maximum login attempts delay",
+ "lang": "en-US"
+ },
+ "description": "Maximum time in seconds between fail login attempts before re-prompting.",
+ "value": [
+ {
+ "text": "1",
+ "selector": "1"
+ },
+ {
+ "text": "2",
+ "selector": "2"
+ },
+ {
+ "text": "3",
+ "selector": "3"
+ },
+ {
+ "text": "4",
+ "selector": "4"
+ },
+ {
+ "text": "5",
+ "selector": "5"
+ },
+ "4"
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_accounts_fail_delay",
+ "type": "number"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00226",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure the Logon Failure Delay is Set Correctly in login.defs",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay",
+ "desc": "To ensure the logon failure delay controlled byis set properly,\nadd or correct thesetting into read as follows:",
+ "descriptions": [
+ {
+ "data": "Increasing the time between a failed authentication attempt and re-prompting to\nenter credentials helps to slow a single-threaded brute force attack.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure the Logon Failure Delay is Set Correctly in login.defs\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/login.defs\",\n \"FAIL_DELAY\",\n \"/etc/login.defs\"\n ],\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_fail_delay\",\n \"use\": \"legacy\"\n },\n \"text\": \"FAIL_DELAY\"\n },\n \"text\": \"To ensure the logon failure delay controlled byis set properly,\\nadd or correct thesetting into read as follows:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00226\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Increasing the time between a failed authentication attempt and re-prompting to\\nenter credentials helps to slow a single-threaded brute force attack.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#login_defs\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_fail_delay:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_fail_delay\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_logon_fail_delay:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_logon_fail_delay_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To ensure the logon failure delay controlled byis set properly,\nadd or correct thesetting into read as follows:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000054"
+ ],
+ "nist": [
+ "AC-10",
+ "CM-6 a."
+ ],
+ "severity": "low",
+ "description": "Limiting the number of allowed users and sessions per user can limit risks related to Denial of\nService attacks. This addresses concurrent sessions for a single account and does not address\nconcurrent sessions by a single user via multiple accounts. To set the number of concurrent\nsessions per user add the following line inor\na file under:",
+ "group_id": "xccdf_org.ssgproject.content_group_accounts-session",
+ "group_title": "Secure Session Configuration Files for Login Accounts",
+ "group_description": "When a user logs into a Unix account, the system\nconfigures the user's session by reading a number of files. Many of\nthese files are located in the user's home directory, and may have\nweak permissions as a result of user error or misconfiguration. If\nan attacker can modify or even read certain types of account\nconfiguration information, they can often gain full access to the\naffected user's account. Therefore, it is important to test and\ncorrect configuration file permissions for interactive accounts,\nparticularly those of privileged users such as root or system\nadministrators.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_max_concurrent_login_sessions:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_max_concurrent_login_sessions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_max_concurrent_login_sessions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "accounts_max_concurrent_login_sessions",
+ "reference": {
+ "references": [
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "DSS01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000054",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-10",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000027-GPOS-00008",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000027-VMM-000080",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Maximum concurrent login sessions",
+ "lang": "en-US"
+ },
+ "description": "Maximum number of concurrent sessions by a user",
+ "value": [
+ {
+ "text": "1",
+ "selector": "1"
+ },
+ {
+ "text": "10",
+ "selector": "10"
+ },
+ {
+ "text": "15",
+ "selector": "15"
+ },
+ {
+ "text": "20",
+ "selector": "20"
+ },
+ {
+ "text": "3",
+ "selector": "3"
+ },
+ {
+ "text": "5",
+ "selector": "5"
+ },
+ "1"
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions",
+ "type": "number"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "DSS01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000054",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-10",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000027-GPOS-00008",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000027-VMM-000080"
+ }
+ ],
+ "source_location": {},
+ "title": "Limit the Number of Concurrent Login Sessions Allowed Per User",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions",
+ "desc": "Limiting the number of allowed users and sessions per user can limit risks related to Denial of\nService attacks. This addresses concurrent sessions for a single account and does not address\nconcurrent sessions by a single user via multiple accounts. To set the number of concurrent\nsessions per user add the following line inor\na file under:",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\n\nvar_accounts_max_concurrent_login_sessions=''\n\n\nif grep -q '^[^#]*\\' /etc/security/limits.d/*.conf; then\n\tsed -i \"/^[^#]*\\/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/\" /etc/security/limits.d/*.conf\nelif grep -q '^[^#]*\\' /etc/security/limits.conf; then\n\tsed -i \"/^[^#]*\\/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/\" /etc/security/limits.conf\nelse\n\techo \"*\thard\tmaxlogins\t$var_accounts_max_concurrent_login_sessions\" >> /etc/security/limits.conf\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Limiting simultaneous user logins can insulate the system from denial of service\nproblems caused by excessive logins. Automated login processes operating improperly or\nmaliciously may result in an exceptional number of simultaneous login sessions.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Limit the Number of Concurrent Login Sessions Allowed Per User\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/security/limits.conf\",\n \"/etc/security/limits.d/\"\n ],\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions\",\n \"use\": \"legacy\"\n },\n \"text\": \"* hard maxlogins\"\n },\n \"text\": \"Limiting the number of allowed users and sessions per user can limit risks related to Denial of\\nService attacks. This addresses concurrent sessions for a single account and does not address\\nconcurrent sessions by a single user via multiple accounts. To set the number of concurrent\\nsessions per user add the following line inor\\na file under:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"DSS01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000054\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-10\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000027-GPOS-00008\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000027-VMM-000080\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Limiting simultaneous user logins can insulate the system from denial of service\\nproblems caused by excessive logins. Automated login processes operating improperly or\\nmaliciously may result in an exceptional number of simultaneous login sessions.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#package_pam\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then\\n\\nvar_accounts_max_concurrent_login_sessions=''\\n\\n\\nif grep -q '^[^#]*\\\\' /etc/security/limits.d/*.conf; then\\n\\tsed -i \\\"/^[^#]*\\\\/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/\\\" /etc/security/limits.d/*.conf\\nelif grep -q '^[^#]*\\\\' /etc/security/limits.conf; then\\n\\tsed -i \\\"/^[^#]*\\\\/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/\\\" /etc/security/limits.conf\\nelse\\n\\techo \\\"*\\thard\\tmaxlogins\\t$var_accounts_max_concurrent_login_sessions\\\" >> /etc/security/limits.conf\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"accounts_max_concurrent_login_sessions\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_accounts_max_concurrent_login_sessions:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_max_concurrent_login_sessions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_max_concurrent_login_sessions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Limiting the number of allowed users and sessions per user can limit risks related to Denial of\nService attacks. This addresses concurrent sessions for a single account and does not address\nconcurrent sessions by a single user via multiple accounts. To set the number of concurrent\nsessions per user add the following line inor\na file under:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "To configure polyinstantiated /tmp directories, first create the parent directories\nwhich will hold the polyinstantiation child directories. Use the following command:Then, add the following entry to:",
+ "group_id": "xccdf_org.ssgproject.content_group_accounts-session",
+ "group_title": "Secure Session Configuration Files for Login Accounts",
+ "group_description": "When a user logs into a Unix account, the system\nconfigures the user's session by reading a number of files. Many of\nthese files are located in the user's home directory, and may have\nweak permissions as a result of user error or misconfiguration. If\nan attacker can modify or even read certain types of account\nconfiguration information, they can often gain full access to the\naffected user's account. Therefore, it is important to test and\ncorrect configuration file permissions for interactive accounts,\nparticularly those of privileged users such as root or system\nadministrators.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_polyinstantiated_tmp:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_polyinstantiated_tmp_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "accounts_polyinstantiated_tmp",
+ "reference": {
+ "references": {
+ "text": "BP28(R39)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/",
+ "ref": [
+ {
+ "text": "BP28(R39)"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Configure Polyinstantiation of /tmp Directories",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp",
+ "desc": "To configure polyinstantiated /tmp directories, first create the parent directories\nwhich will hold the polyinstantiation child directories. Use the following command:Then, add the following entry to:",
+ "descriptions": [
+ {
+ "data": "if ! [ -d /tmp/tmp-inst ] ; then\n mkdir --mode 000 /tmp/tmp-inst\nfi\nchmod 000 /tmp/tmp-inst\nchcon --reference=/tmp /tmp/tmp-inst\n\nif ! grep -Eq '^\\s*/tmp\\s+/tmp/tmp-inst/\\s+level\\s+root,adm$' /etc/security/namespace.conf ; then\n if grep -Eq '^\\s*/tmp\\s+' /etc/security/namespace.conf ; then\n sed -i '/^\\s*\\/tmp/d' /etc/security/namespace.conf\n fi\n echo \"/tmp /tmp/tmp-inst/ level root,adm\" >> /etc/security/namespace.conf\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Polyinstantiation of temporary directories is a proactive security measure\nwhich reduces chances of attacks that are made possible by /tmp\ndirectories being world-writable.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Configure Polyinstantiation of /tmp Directories\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n \"$ sudo mkdir --mode 000 /tmp/tmp-inst\",\n \"/tmp /tmp/tmp-inst/ level root,adm\"\n ],\n \"code\": \"/etc/security/namespace.conf\",\n \"text\": \"To configure polyinstantiated /tmp directories, first create the parent directories\\nwhich will hold the polyinstantiation child directories. Use the following command:Then, add the following entry to:\",\n \"lang\": \"en-US\"\n },\n \"reference\": {\n \"text\": \"BP28(R39)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n \"rationale\": {\n \"text\": \"Polyinstantiation of temporary directories is a proactive security measure\\nwhich reduces chances of attacks that are made possible by /tmp\\ndirectories being world-writable.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"if ! [ -d /tmp/tmp-inst ] ; then\\n mkdir --mode 000 /tmp/tmp-inst\\nfi\\nchmod 000 /tmp/tmp-inst\\nchcon --reference=/tmp /tmp/tmp-inst\\n\\nif ! grep -Eq '^\\\\s*/tmp\\\\s+/tmp/tmp-inst/\\\\s+level\\\\s+root,adm$' /etc/security/namespace.conf ; then\\n if grep -Eq '^\\\\s*/tmp\\\\s+' /etc/security/namespace.conf ; then\\n sed -i '/^\\\\s*\\\\/tmp/d' /etc/security/namespace.conf\\n fi\\n echo \\\"/tmp /tmp/tmp-inst/ level root,adm\\\" >> /etc/security/namespace.conf\\nfi\",\n \"id\": \"accounts_polyinstantiated_tmp\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_polyinstantiated_tmp:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_polyinstantiated_tmp_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure polyinstantiated /tmp directories, first create the parent directories\nwhich will hold the polyinstantiation child directories. Use the following command:Then, add the following entry to:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "To configure polyinstantiated /tmp directories, first create the parent directories\nwhich will hold the polyinstantiation child directories. Use the following command:Then, add the following entry to:",
+ "group_id": "xccdf_org.ssgproject.content_group_accounts-session",
+ "group_title": "Secure Session Configuration Files for Login Accounts",
+ "group_description": "When a user logs into a Unix account, the system\nconfigures the user's session by reading a number of files. Many of\nthese files are located in the user's home directory, and may have\nweak permissions as a result of user error or misconfiguration. If\nan attacker can modify or even read certain types of account\nconfiguration information, they can often gain full access to the\naffected user's account. Therefore, it is important to test and\ncorrect configuration file permissions for interactive accounts,\nparticularly those of privileged users such as root or system\nadministrators.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_polyinstantiated_var_tmp:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_polyinstantiated_var_tmp_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "accounts_polyinstantiated_var_tmp",
+ "reference": {
+ "references": {
+ "text": "BP28(R39)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/",
+ "ref": [
+ {
+ "text": "BP28(R39)"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Configure Polyinstantiation of /var/tmp Directories",
+ "id": "xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp",
+ "desc": "To configure polyinstantiated /tmp directories, first create the parent directories\nwhich will hold the polyinstantiation child directories. Use the following command:Then, add the following entry to:",
+ "descriptions": [
+ {
+ "data": "if ! [ -d /tmp-inst ] ; then\n mkdir --mode 000 /var/tmp/tmp-inst\nfi\nchmod 000 /var/tmp/tmp-inst\nchcon --reference=/var/tmp/ /var/tmp/tmp-inst\n\nif ! grep -Eq '^\\s*/var/tmp\\s+/var/tmp/tmp-inst/\\s+level\\s+root,adm$' /etc/security/namespace.conf ; then\n if grep -Eq '^\\s*/var/tmp\\s+' /etc/security/namespace.conf ; then\n sed -i '/^\\s*\\/var\\/tmp/d' /etc/security/namespace.conf\n fi\n echo \"/var/tmp /var/tmp/tmp-inst/ level root,adm\" >> /etc/security/namespace.conf\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Polyinstantiation of temporary directories is a proactive security measure\nwhich reduces chances of attacks that are made possible by /var/tmp\ndirectories being world-writable.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Configure Polyinstantiation of /var/tmp Directories\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n \"$ sudo mkdir --mode 000 /var/tmp/tmp-inst\",\n \"/var/tmp /var/tmp/tmp-inst/ level root,adm\"\n ],\n \"code\": \"/etc/security/namespace.conf\",\n \"text\": \"To configure polyinstantiated /tmp directories, first create the parent directories\\nwhich will hold the polyinstantiation child directories. Use the following command:Then, add the following entry to:\",\n \"lang\": \"en-US\"\n },\n \"reference\": {\n \"text\": \"BP28(R39)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n \"rationale\": {\n \"text\": \"Polyinstantiation of temporary directories is a proactive security measure\\nwhich reduces chances of attacks that are made possible by /var/tmp\\ndirectories being world-writable.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"if ! [ -d /tmp-inst ] ; then\\n mkdir --mode 000 /var/tmp/tmp-inst\\nfi\\nchmod 000 /var/tmp/tmp-inst\\nchcon --reference=/var/tmp/ /var/tmp/tmp-inst\\n\\nif ! grep -Eq '^\\\\s*/var/tmp\\\\s+/var/tmp/tmp-inst/\\\\s+level\\\\s+root,adm$' /etc/security/namespace.conf ; then\\n if grep -Eq '^\\\\s*/var/tmp\\\\s+' /etc/security/namespace.conf ; then\\n sed -i '/^\\\\s*\\\\/var\\\\/tmp/d' /etc/security/namespace.conf\\n fi\\n echo \\\"/var/tmp /var/tmp/tmp-inst/ level root,adm\\\" >> /etc/security/namespace.conf\\nfi\",\n \"id\": \"accounts_polyinstantiated_var_tmp\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-accounts_polyinstantiated_var_tmp:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-accounts_polyinstantiated_var_tmp_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure polyinstantiated /tmp directories, first create the parent directories\nwhich will hold the polyinstantiation child directories. Use the following command:Then, add the following entry to:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000225"
+ ],
+ "nist": [
+ "AC-6",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "For each human user of the system, view the\npermissions of the user's home directory:Ensure that the directory is not group-writable and that it\nis not world-readable. If necessary, repair the permissions:",
+ "group_id": "xccdf_org.ssgproject.content_group_accounts-session",
+ "group_title": "Secure Session Configuration Files for Login Accounts",
+ "group_description": "When a user logs into a Unix account, the system\nconfigures the user's session by reading a number of files. Many of\nthese files are located in the user's home directory, and may have\nweak permissions as a result of user error or misconfiguration. If\nan attacker can modify or even read certain types of account\nconfiguration information, they can often gain full access to the\naffected user's account. Therefore, it is important to test and\ncorrect configuration file permissions for interactive accounts,\nparticularly those of privileged users such as root or system\nadministrators.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_home_dirs",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_home_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_home_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000225",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_home_dirs",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000225",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure that User Home Directories are not Group-Writable or World-Readable",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_home_dirs",
+ "desc": "For each human user of the system, view the\npermissions of the user's home directory:Ensure that the directory is not group-writable and that it\nis not world-readable. If necessary, repair the permissions:",
+ "descriptions": [
+ {
+ "data": "User home directories contain many configuration files which\naffect the behavior of a user's account. No user should ever have\nwrite permission to another user's home directory. Group shared\ndirectories can be configured in sub-directories or elsewhere in the\nfilesystem if they are needed. Typically, user home directories\nshould not be world-readable, as it would disclose file names\nto other users. If a subset of users need read access\nto one another's home directories, this can be provided using\ngroups or ACLs.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure that User Home Directories are not Group-Writable or World-Readable\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n {\n \"i\": \"USER\",\n \"text\": \"# ls -ld /home/\"\n },\n {\n \"i\": [\n \"USER\",\n \"USER\"\n ],\n \"text\": \"# chmod g-w /home/# chmod o-rwx /home/\"\n }\n ],\n \"text\": \"For each human user of the system, view the\\npermissions of the user's home directory:Ensure that the directory is not group-writable and that it\\nis not world-readable. If necessary, repair the permissions:\",\n \"lang\": \"en-US\"\n },\n \"warning\": [\n {\n \"text\": \"This action may involve modifying user home directories.\\nNotify your user community, and solicit input if appropriate,\\nbefore making this type of change.\",\n \"lang\": \"en-US\",\n \"category\": \"functionality\"\n },\n {\n \"code\": [\n \"file_permissions_home_directories\",\n \"0.1.62\"\n ],\n \"text\": \"This rule is deprecated in favor of therule.\\nPlease consider replacing this rule in your files as it is not expected to receive\\nupdates as of version.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n }\n ],\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000225\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"User home directories contain many configuration files which\\naffect the behavior of a user's account. No user should ever have\\nwrite permission to another user's home directory. Group shared\\ndirectories can be configured in sub-directories or elsewhere in the\\nfilesystem if they are needed. Typically, user home directories\\nshould not be world-readable, as it would disclose file names\\nto other users. If a subset of users need read access\\nto one another's home directories, this can be provided using\\ngroups or ACLs.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"for home_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do\\n # Only update the permissions when necessary. This will avoid changing the inode timestamp when\\n # the permission is already defined as expected, therefore not impacting in possible integrity\\n # check systems that also check inodes timestamps.\\n find \\\"$home_dir\\\" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \\\\;\\ndone\",\n \"id\": \"file_permissions_home_dirs\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Get all local users from /etc/passwd\\n ansible.builtin.getent:\\n database: passwd\\n split: ':'\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-6(a)\\n - file_permissions_home_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Create local_users variable from the getent output\\n ansible.builtin.set_fact:\\n local_users: '{{ ansible_facts.getent_passwd|dict2items }}'\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-6(a)\\n - file_permissions_home_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Test for existence home directories to avoid creating them.\\n ansible.builtin.stat:\\n path: '{{ item.value[4] }}'\\n register: path_exists\\n loop: '{{ local_users }}'\\n when:\\n - item.value[1]|int >= 1000\\n - item.value[1]|int != 65534\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-6(a)\\n - file_permissions_home_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Ensure interactive local users have proper permissions on their respective\\n home directories\\n ansible.builtin.file:\\n path: '{{ item.0.value[4] }}'\\n mode: u-s,g-w-s,o=-\\n follow: false\\n recurse: false\\n loop: '{{ local_users|zip(path_exists.results)|list }}'\\n when: item.1.stat is defined and item.1.stat.exists\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-6(a)\\n - file_permissions_home_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"file_permissions_home_dirs\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_home_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_home_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_home_dirs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "For each human user of the system, view the\npermissions of the user's home directory:Ensure that the directory is not group-writable and that it\nis not world-readable. If necessary, repair the permissions:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000126",
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-2 c",
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_chmod:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_chmod_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000126",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000064-GPOS-00033",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-GPOS-00203",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-VMM-001810",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000474-VMM-001940",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000126",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000064-GPOS-00033",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-GPOS-00203",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-VMM-001810"
+ },
+ {
+ "ref": "SRG-OS-000474-VMM-001940"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - chmod",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod",
+ "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - chmod\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file permission\\nchanges for all users and root. If thedaemon is configured to\\nuse theprogram to read audit rules during daemon startup\\n(the default), add the following line to a file with suffixin\\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000126\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000064-GPOS-00033\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-GPOS-00203\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-VMM-001810\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000474-VMM-001940\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"chmod\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"chmod fchmod fchmodat\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_chmod\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_chmod\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit chmod tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_chmod\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for chmod for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - chmod\\n syscall_grouping:\\n - chmod\\n - fchmod\\n - fchmodat\\n\\n - name: Check existence of chmod in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - chmod\\n syscall_grouping:\\n - chmod\\n - fchmod\\n - fchmodat\\n\\n - name: Check existence of chmod in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_chmod\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for chmod for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - chmod\\n syscall_grouping:\\n - chmod\\n - fchmod\\n - fchmodat\\n\\n - name: Check existence of chmod in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - chmod\\n syscall_grouping:\\n - chmod\\n - fchmod\\n - fchmodat\\n\\n - name: Check existence of chmod in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_chmod\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_chmod\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_chmod:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_chmod_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000126",
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-2 c",
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_chown:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_chown_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000126",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000064-GPOS-00033",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-GPOS-00203",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000474-GPOS-00219",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-VMM-001810",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000474-VMM-001940",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000126",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000064-GPOS-00033",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-GPOS-00203",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000474-GPOS-00219",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-VMM-001810"
+ },
+ {
+ "ref": "SRG-OS-000474-VMM-001940"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - chown",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown",
+ "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - chown\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file permission\\nchanges for all users and root. If thedaemon is configured to\\nuse theprogram to read audit rules during daemon startup\\n(the default), add the following line to a file with suffixin\\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000126\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000064-GPOS-00033\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-GPOS-00203\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000474-GPOS-00219\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-VMM-001810\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000474-VMM-001940\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"chown\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"chown fchown fchownat lchown\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_chown\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_chown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit chown tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_chown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for chown for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - chown\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of chown in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - chown\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of chown in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_chown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for chown for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - chown\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of chown in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - chown\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of chown in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_chown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_chown\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_chown:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_chown_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000126",
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-2 c",
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_fchmod:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_fchmod_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000126",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000064-GPOS-00033",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-GPOS-00203",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-VMM-001810",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000474-VMM-001940",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000126",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000064-GPOS-00033",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-GPOS-00203",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-VMM-001810"
+ },
+ {
+ "ref": "SRG-OS-000474-VMM-001940"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - fchmod",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod",
+ "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - fchmod\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file permission\\nchanges for all users and root. If thedaemon is configured to\\nuse theprogram to read audit rules during daemon startup\\n(the default), add the following line to a file with suffixin\\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000126\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000064-GPOS-00033\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-GPOS-00203\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-VMM-001810\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000474-VMM-001940\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"fchmod\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"chmod fchmod fchmodat\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_fchmod\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchmod\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit fchmod tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchmod\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for fchmod for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchmod\\n syscall_grouping:\\n - chmod\\n - fchmod\\n - fchmodat\\n\\n - name: Check existence of fchmod in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchmod\\n syscall_grouping:\\n - chmod\\n - fchmod\\n - fchmodat\\n\\n - name: Check existence of fchmod in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchmod\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for fchmod for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchmod\\n syscall_grouping:\\n - chmod\\n - fchmod\\n - fchmodat\\n\\n - name: Check existence of fchmod in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchmod\\n syscall_grouping:\\n - chmod\\n - fchmod\\n - fchmodat\\n\\n - name: Check existence of fchmod in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchmod\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_fchmod\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_fchmod:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_fchmod_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000126",
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-2 c",
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_fchmodat:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_fchmodat_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000126",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000064-GPOS-00033",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-GPOS-00203",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-VMM-001810",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000474-VMM-001940",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000126",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000064-GPOS-00033",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-GPOS-00203",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-VMM-001810"
+ },
+ {
+ "ref": "SRG-OS-000474-VMM-001940"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - fchmodat",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat",
+ "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - fchmodat\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file permission\\nchanges for all users and root. If thedaemon is configured to\\nuse theprogram to read audit rules during daemon startup\\n(the default), add the following line to a file with suffixin\\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000126\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000064-GPOS-00033\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-GPOS-00203\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-VMM-001810\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000474-VMM-001940\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"fchmodat\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"chmod fchmod fchmodat\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_fchmodat\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchmodat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit fchmodat tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchmodat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for fchmodat for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchmodat\\n syscall_grouping:\\n - chmod\\n - fchmod\\n - fchmodat\\n\\n - name: Check existence of fchmodat in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchmodat\\n syscall_grouping:\\n - chmod\\n - fchmod\\n - fchmodat\\n\\n - name: Check existence of fchmodat in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchmodat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for fchmodat for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchmodat\\n syscall_grouping:\\n - chmod\\n - fchmod\\n - fchmodat\\n\\n - name: Check existence of fchmodat in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchmodat\\n syscall_grouping:\\n - chmod\\n - fchmod\\n - fchmodat\\n\\n - name: Check existence of fchmodat in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchmodat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_fchmodat\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_fchmodat:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_fchmodat_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000126",
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-2 c",
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_fchown:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_fchown_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000126",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000064-GPOS-00033",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-GPOS-00203",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000474-GPOS-00219",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-VMM-001810",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000474-VMM-001940",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000126",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000064-GPOS-00033",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-GPOS-00203",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000474-GPOS-00219",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-VMM-001810"
+ },
+ {
+ "ref": "SRG-OS-000474-VMM-001940"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - fchown",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown",
+ "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - fchown\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file permission\\nchanges for all users and root. If thedaemon is configured\\nto use theprogram to read audit rules during daemon\\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000126\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000064-GPOS-00033\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-GPOS-00203\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000474-GPOS-00219\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-VMM-001810\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000474-VMM-001940\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"fchown\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"chown fchown fchownat lchown\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_fchown\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit fchown tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for fchown for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchown\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of fchown in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchown\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of fchown in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for fchown for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchown\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of fchown in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchown\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of fchown in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_fchown\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_fchown:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_fchown_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000126",
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-2 c",
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_fchownat:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_fchownat_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000126",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000064-GPOS-00033",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-GPOS-00203",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000474-GPOS-00219",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-VMM-001810",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000474-VMM-001940",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000126",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000064-GPOS-00033",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-GPOS-00203",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000474-GPOS-00219",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-VMM-001810"
+ },
+ {
+ "ref": "SRG-OS-000474-VMM-001940"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - fchownat",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat",
+ "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - fchownat\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file permission\\nchanges for all users and root. If thedaemon is configured\\nto use theprogram to read audit rules during daemon\\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000126\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000064-GPOS-00033\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-GPOS-00203\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000474-GPOS-00219\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-VMM-001810\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000474-VMM-001940\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"fchownat\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"chown fchown fchownat lchown\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_fchownat\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchownat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit fchownat tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchownat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for fchownat for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchownat\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of fchownat in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchownat\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of fchownat in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchownat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for fchownat for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchownat\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of fchownat in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fchownat\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of fchownat in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fchownat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_fchownat\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_fchownat:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_fchownat_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root.If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_fremovexattr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-GPOS-00203",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000463-GPOS-00207",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000474-GPOS-00219",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000468-GPOS-00212",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000064-GPOS-00033",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-VMM-001810",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000474-VMM-001940",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-GPOS-00203",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000463-GPOS-00207",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000474-GPOS-00219",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000468-GPOS-00212",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000064-GPOS-00033",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-VMM-001810"
+ },
+ {
+ "ref": "SRG-OS-000474-VMM-001940"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - fremovexattr",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr",
+ "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root.If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - fremovexattr\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\",\n \"\",\n \"\",\n \"\",\n \"\",\n \"\",\n \"\"\n ],\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file permission\\nchanges for all users and root.If thedaemon is configured\\nto use theprogram to read audit rules during daemon\\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-GPOS-00203\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000463-GPOS-00207\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000474-GPOS-00219\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000468-GPOS-00212\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000064-GPOS-00033\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-VMM-001810\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000474-VMM-001940\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"fremovexattr\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_fremovexattr\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fremovexattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit fremovexattr tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fremovexattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for fremovexattr for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fremovexattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of fremovexattr in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fremovexattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of fremovexattr in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fremovexattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for fremovexattr for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fremovexattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of fremovexattr in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fremovexattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of fremovexattr in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fremovexattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_fremovexattr\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_fremovexattr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root.If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000126",
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-2 c",
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_fsetxattr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_fsetxattr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000126",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-GPOS-00203",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000463-GPOS-00207",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000468-GPOS-00212",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000474-GPOS-00219",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000064-GPOS-00033",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-VMM-001810",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000474-VMM-001940",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000126",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-GPOS-00203",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000463-GPOS-00207",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000468-GPOS-00212",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000474-GPOS-00219",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000064-GPOS-00033",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-VMM-001810"
+ },
+ {
+ "ref": "SRG-OS-000474-VMM-001940"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - fsetxattr",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr",
+ "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - fsetxattr\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file permission\\nchanges for all users and root. If thedaemon is configured\\nto use theprogram to read audit rules during daemon\\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000126\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-GPOS-00203\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000463-GPOS-00207\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000468-GPOS-00212\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000474-GPOS-00219\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000064-GPOS-00033\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-VMM-001810\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000474-VMM-001940\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"fsetxattr\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_fsetxattr\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fsetxattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit fsetxattr tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fsetxattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for fsetxattr for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fsetxattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of fsetxattr in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fsetxattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of fsetxattr in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fsetxattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for fsetxattr for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fsetxattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of fsetxattr in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - fsetxattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of fsetxattr in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_fsetxattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_fsetxattr\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_fsetxattr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_fsetxattr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000126",
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-2 c",
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_lchown:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_lchown_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000126",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000064-GPOS-00033",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-GPOS-00203",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000474-GPOS-00219",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-VMM-001810",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000474-VMM-001940",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000126",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000064-GPOS-00033",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-GPOS-00203",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000474-GPOS-00219",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-VMM-001810"
+ },
+ {
+ "ref": "SRG-OS-000474-VMM-001940"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - lchown",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown",
+ "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - lchown\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file permission\\nchanges for all users and root. If thedaemon is configured\\nto use theprogram to read audit rules during daemon\\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000126\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000064-GPOS-00033\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-GPOS-00203\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000474-GPOS-00219\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-VMM-001810\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000474-VMM-001940\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"lchown\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"chown fchown fchownat lchown\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_lchown\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_lchown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit lchown tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_lchown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for lchown for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - lchown\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of lchown in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - lchown\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of lchown in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_lchown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for lchown for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - lchown\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of lchown in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - lchown\\n syscall_grouping:\\n - chown\\n - fchown\\n - fchownat\\n - lchown\\n\\n - name: Check existence of lchown in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_lchown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_lchown\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_lchown:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_lchown_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root.If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_lremovexattr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-GPOS-00203",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000463-GPOS-00207",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000468-GPOS-00212",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000474-GPOS-00219",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000064-GPOS-00033",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-VMM-001810",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000474-VMM-001940",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-GPOS-00203",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000463-GPOS-00207",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000468-GPOS-00212",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000474-GPOS-00219",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000064-GPOS-00033",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-VMM-001810"
+ },
+ {
+ "ref": "SRG-OS-000474-VMM-001940"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - lremovexattr",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr",
+ "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root.If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - lremovexattr\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\",\n \"\",\n \"\",\n \"\",\n \"\",\n \"\",\n \"\"\n ],\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file permission\\nchanges for all users and root.If thedaemon is configured\\nto use theprogram to read audit rules during daemon\\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-GPOS-00203\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000463-GPOS-00207\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000468-GPOS-00212\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000474-GPOS-00219\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000064-GPOS-00033\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-VMM-001810\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000474-VMM-001940\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"lremovexattr\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_lremovexattr\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_lremovexattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit lremovexattr tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_lremovexattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for lremovexattr for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - lremovexattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of lremovexattr in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - lremovexattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of lremovexattr in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_lremovexattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for lremovexattr for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - lremovexattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of lremovexattr in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - lremovexattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of lremovexattr in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_lremovexattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_lremovexattr\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_lremovexattr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root.If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000126",
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-2 c",
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_lsetxattr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000126",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-GPOS-00203",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000463-GPOS-00207",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000468-GPOS-00212",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000474-GPOS-00219",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000064-GPOS-00033",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-VMM-001810",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000474-VMM-001940",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000126",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-GPOS-00203",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000463-GPOS-00207",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000468-GPOS-00212",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000474-GPOS-00219",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000064-GPOS-00033",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-VMM-001810"
+ },
+ {
+ "ref": "SRG-OS-000474-VMM-001940"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - lsetxattr",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr",
+ "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - lsetxattr\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file permission\\nchanges for all users and root. If thedaemon is configured\\nto use theprogram to read audit rules during daemon\\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000126\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-GPOS-00203\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000463-GPOS-00207\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000468-GPOS-00212\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000474-GPOS-00219\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000064-GPOS-00033\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-VMM-001810\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000474-VMM-001940\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"lsetxattr\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_lsetxattr\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_lsetxattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit lsetxattr tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_lsetxattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for lsetxattr for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - lsetxattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of lsetxattr in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - lsetxattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of lsetxattr in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_lsetxattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for lsetxattr for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - lsetxattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of lsetxattr in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - lsetxattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of lsetxattr in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_lsetxattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_lsetxattr\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_lsetxattr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root.If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add the\nfollowing line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_removexattr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_removexattr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-GPOS-00203",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000463-GPOS-00207",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000468-GPOS-00212",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000474-GPOS-00219",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000064-GPOS-00033",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-VMM-001810",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000474-VMM-001940",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-GPOS-00203",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000463-GPOS-00207",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000468-GPOS-00212",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000474-GPOS-00219",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000064-GPOS-00033",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-VMM-001810"
+ },
+ {
+ "ref": "SRG-OS-000474-VMM-001940"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - removexattr",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr",
+ "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root.If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add the\nfollowing line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - removexattr\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\",\n \"\",\n \"\",\n \"\",\n \"\",\n \"\",\n \"\"\n ],\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file permission\\nchanges for all users and root.If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add the\\nfollowing line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-GPOS-00203\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000463-GPOS-00207\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000468-GPOS-00212\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000474-GPOS-00219\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000064-GPOS-00033\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-VMM-001810\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000474-VMM-001940\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"removexattr\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_removexattr\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_removexattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit removexattr tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_removexattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for removexattr for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - removexattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of removexattr in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - removexattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of removexattr in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_removexattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for removexattr for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - removexattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of removexattr in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - removexattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of removexattr in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_removexattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_removexattr\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_removexattr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_removexattr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root.If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add the\nfollowing line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000126",
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-2 c",
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_setxattr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000126",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000064-GPOS-00033",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-GPOS-00203",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000458-VMM-001810",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000474-VMM-001940",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000126",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000064-GPOS-00033",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-GPOS-00203",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000458-VMM-001810"
+ },
+ {
+ "ref": "SRG-OS-000474-VMM-001940"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - setxattr",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr",
+ "desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - setxattr\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file permission\\nchanges for all users and root. If thedaemon is configured\\nto use theprogram to read audit rules during daemon\\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000126\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000064-GPOS-00033\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-GPOS-00203\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000458-VMM-001810\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000474-VMM-001940\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"setxattr\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"fremovexattr lremovexattr removexattr fsetxattr lsetxattr setxattr\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_setxattr\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_setxattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit setxattr tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_setxattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for setxattr for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - setxattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of setxattr in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - setxattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of setxattr in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_setxattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for setxattr for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - setxattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of setxattr in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - setxattr\\n syscall_grouping:\\n - fremovexattr\\n - lremovexattr\\n - removexattr\\n - fsetxattr\\n - lsetxattr\\n - setxattr\\n\\n - name: Check existence of setxattr in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.5\\n - audit_rules_dac_modification_setxattr\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_setxattr\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_setxattr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000130",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-3 a",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)"
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file system umount\nchanges. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_umount:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_umount_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - umount",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount",
+ "desc": "At a minimum, the audit system should collect file system umount\nchanges. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - umount\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file system umount\\nchanges. If thedaemon is configured\\nto use theprogram to read audit rules during daemon\\nstartup (the default), add the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=b32\\\"\\nOTHER_FILTERS=\\\"\\\"\\nAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\nSYSCALL=\\\"umount\\\"\\nKEY=\\\"perm_mod\\\"\\nSYSCALL_GROUPING=\\\"\\\"\\n\\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\nunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\nunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_umount\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - audit_rules_dac_modification_umount\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for umount for x86 platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - umount\\n syscall_grouping: []\\n\\n - name: Check existence of umount in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - umount\\n syscall_grouping: []\\n\\n - name: Check existence of umount in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - audit_rules_dac_modification_umount\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_umount\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_umount:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_umount_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file system umount\nchanges. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000130",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-3 a",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)"
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file system umount2\nchanges. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_dac_actions",
+ "group_title": "Record Events that Modify the System's Discretionary Access Controls",
+ "group_description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. Note that the \"-F arch=b32\" lines should be\npresent even on a 64 bit system. These commands identify system calls for\nauditing. Even if the system is 64 bit it can still execute 32 bit system\ncalls. Additionally, these rules can be configured in a number of ways while\nstill achieving the desired effect. An example of this is that the \"-S\" calls\ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to:If your system is 64 bit then these lines should be duplicated and the\narch=b32 replaced with arch=b64 as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_umount2:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_umount2_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Discretionary Access Controls - umount2",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2",
+ "desc": "At a minimum, the audit system should collect file system umount2\nchanges. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "descriptions": [
+ {
+ "data": "The changing of file permissions could indicate that a user is attempting to\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\ncan facilitate the identification of patterns of abuse among both authorized and\nunauthorized users.",
+ "label": "rationale"
+ },
+ {
+ "data": "Note that these rules can be configured in a\nnumber of ways while still achieving the desired effect. Here the system calls\nhave been placed independent of other system calls. Grouping these system\ncalls with others as identifying earlier in this guide is more efficient.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Discretionary Access Controls - umount2\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod\",\n \"-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ],\n \"text\": \"At a minimum, the audit system should collect file system umount2\\nchanges. If thedaemon is configured\\nto use theprogram to read audit rules during daemon\\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Note that these rules can be configured in a\\nnumber of ways while still achieving the desired effect. Here the system calls\\nhave been placed independent of other system calls. Grouping these system\\ncalls with others as identifying earlier in this guide is more efficient.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"The changing of file permissions could indicate that a user is attempting to\\ngain access to information that would otherwise be disallowed. Auditing DAC modifications\\ncan facilitate the identification of patterns of abuse among both authorized and\\nunauthorized users.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"umount2\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_dac_modification_umount2\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - audit_rules_dac_modification_umount2\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit umount2 tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - audit_rules_dac_modification_umount2\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for umount2 for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - umount2\\n syscall_grouping: []\\n\\n - name: Check existence of umount2 in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - umount2\\n syscall_grouping: []\\n\\n - name: Check existence of umount2 in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - audit_rules_dac_modification_umount2\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for umount2 for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - umount2\\n syscall_grouping: []\\n\\n - name: Check existence of umount2 in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - umount2\\n syscall_grouping: []\\n\\n - name: Check existence of umount2 in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - audit_rules_dac_modification_umount2\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_dac_modification_umount2\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_dac_modification_umount2:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_dac_modification_umount2_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file system umount2\nchanges. If thedaemon is configured\nto use theprogram to read audit rules during daemon\nstartup (the default), add the following line to a file with suffixin the directory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-000366",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "CM-6 b",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_file_deletion_events",
+ "group_title": "Record File Deletion Events by User",
+ "group_description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_file_deletion_events_rename:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.MA-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.2.7",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000467-GPOS-00211",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000468-GPOS-00212",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-VMM-001870",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000468-VMM-001890",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.MA-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.2.7",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000467-GPOS-00211",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000468-GPOS-00212",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-VMM-001870"
+ },
+ {
+ "ref": "SRG-OS-000468-VMM-001890"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure auditd Collects File Deletion Events by User - rename",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename",
+ "desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "descriptions": [
+ {
+ "data": "Auditing file deletions will create an audit trail for files that are removed\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\nmalicious processes that attempt to delete log files to conceal their presence.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure auditd Collects File Deletion Events by User - rename\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete\",\n \"-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete\"\n ],\n \"text\": \"At a minimum, the audit system should collect file deletion events\\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following line to a file with suffixin the\\ndirectory, setting ARCH to either b32 or b64 as\\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\\nappropriate for your system:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.MA-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.2.7\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000467-GPOS-00211\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000468-GPOS-00212\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-VMM-001870\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000468-VMM-001890\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Auditing file deletions will create an audit trail for files that are removed\\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\\nmalicious processes that attempt to delete log files to conceal their presence.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"rename\\\"\\n\\tKEY=\\\"delete\\\"\\n\\tSYSCALL_GROUPING=\\\"unlink unlinkat rename renameat rmdir\\\"\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_file_deletion_events_rename\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_rename\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit rename tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_rename\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for rename for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - rename\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of rename in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/delete.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - rename\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of rename in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_rename\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for rename for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - rename\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of rename in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/delete.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - rename\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of rename in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_rename\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_file_deletion_events_rename\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_file_deletion_events_rename:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-000366",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "CM-6 b",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_file_deletion_events",
+ "group_title": "Record File Deletion Events by User",
+ "group_description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_file_deletion_events_renameat:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_file_deletion_events_renameat_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.MA-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.2.7",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000467-GPOS-00211",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000468-GPOS-00212",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-VMM-001870",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000468-VMM-001890",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.MA-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.2.7",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000467-GPOS-00211",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000468-GPOS-00212",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-VMM-001870"
+ },
+ {
+ "ref": "SRG-OS-000468-VMM-001890"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure auditd Collects File Deletion Events by User - renameat",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat",
+ "desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "descriptions": [
+ {
+ "data": "Auditing file deletions will create an audit trail for files that are removed\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\nmalicious processes that attempt to delete log files to conceal their presence.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure auditd Collects File Deletion Events by User - renameat\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete\",\n \"-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete\"\n ],\n \"text\": \"At a minimum, the audit system should collect file deletion events\\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following line to a file with suffixin the\\ndirectory, setting ARCH to either b32 or b64 as\\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\\nappropriate for your system:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.MA-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.2.7\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000467-GPOS-00211\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000468-GPOS-00212\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-VMM-001870\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000468-VMM-001890\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Auditing file deletions will create an audit trail for files that are removed\\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\\nmalicious processes that attempt to delete log files to conceal their presence.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"renameat\\\"\\n\\tKEY=\\\"delete\\\"\\n\\tSYSCALL_GROUPING=\\\"unlink unlinkat rename renameat rmdir\\\"\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_file_deletion_events_renameat\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_renameat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit renameat tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_renameat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for renameat for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - renameat\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of renameat in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/delete.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - renameat\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of renameat in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_renameat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for renameat for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - renameat\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of renameat in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/delete.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - renameat\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of renameat in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_renameat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_file_deletion_events_renameat\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_file_deletion_events_renameat:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_file_deletion_events_renameat_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-000366",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "CM-6 b",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_file_deletion_events",
+ "group_title": "Record File Deletion Events by User",
+ "group_description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_file_deletion_events_rmdir:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_file_deletion_events_rmdir_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.MA-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.2.7",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000467-GPOS-00211",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000468-GPOS-00212",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-VMM-001870",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000468-VMM-001890",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.MA-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.2.7",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000467-GPOS-00211",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000468-GPOS-00212",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-VMM-001870"
+ },
+ {
+ "ref": "SRG-OS-000468-VMM-001890"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure auditd Collects File Deletion Events by User - rmdir",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir",
+ "desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "descriptions": [
+ {
+ "data": "Auditing file deletions will create an audit trail for files that are removed\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\nmalicious processes that attempt to delete log files to conceal their presence.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure auditd Collects File Deletion Events by User - rmdir\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete\",\n \"-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete\"\n ],\n \"text\": \"At a minimum, the audit system should collect file deletion events\\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following line to a file with suffixin the\\ndirectory, setting ARCH to either b32 or b64 as\\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\\nappropriate for your system:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.MA-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.2.7\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000467-GPOS-00211\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000468-GPOS-00212\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-VMM-001870\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000468-VMM-001890\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Auditing file deletions will create an audit trail for files that are removed\\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\\nmalicious processes that attempt to delete log files to conceal their presence.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"rmdir\\\"\\n\\tKEY=\\\"delete\\\"\\n\\tSYSCALL_GROUPING=\\\"unlink unlinkat rename renameat rmdir\\\"\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_file_deletion_events_rmdir\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_rmdir\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit rmdir tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_rmdir\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for rmdir for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - rmdir\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of rmdir in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/delete.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - rmdir\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of rmdir in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_rmdir\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for rmdir for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - rmdir\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of rmdir in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/delete.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - rmdir\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of rmdir in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_rmdir\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_file_deletion_events_rmdir\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_file_deletion_events_rmdir:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_file_deletion_events_rmdir_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-000366",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "CM-6 b",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_file_deletion_events",
+ "group_title": "Record File Deletion Events by User",
+ "group_description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_file_deletion_events_unlink:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_file_deletion_events_unlink_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.MA-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.2.7",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000467-GPOS-00211",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000468-GPOS-00212",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-VMM-001870",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000468-VMM-001890",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.MA-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.2.7",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000467-GPOS-00211",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000468-GPOS-00212",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-VMM-001870"
+ },
+ {
+ "ref": "SRG-OS-000468-VMM-001890"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure auditd Collects File Deletion Events by User - unlink",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink",
+ "desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "descriptions": [
+ {
+ "data": "Auditing file deletions will create an audit trail for files that are removed\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\nmalicious processes that attempt to delete log files to conceal their presence.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure auditd Collects File Deletion Events by User - unlink\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete\",\n \"-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete\"\n ],\n \"text\": \"At a minimum, the audit system should collect file deletion events\\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following line to a file with suffixin the\\ndirectory, setting ARCH to either b32 or b64 as\\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\\nappropriate for your system:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.MA-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.2.7\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000467-GPOS-00211\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000468-GPOS-00212\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-VMM-001870\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000468-VMM-001890\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Auditing file deletions will create an audit trail for files that are removed\\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\\nmalicious processes that attempt to delete log files to conceal their presence.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"unlink\\\"\\n\\tKEY=\\\"delete\\\"\\n\\tSYSCALL_GROUPING=\\\"unlink unlinkat rename renameat rmdir\\\"\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_file_deletion_events_unlink\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_unlink\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit unlink tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_unlink\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for unlink for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - unlink\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of unlink in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/delete.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - unlink\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of unlink in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_unlink\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for unlink for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - unlink\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of unlink in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/delete.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - unlink\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of unlink in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_unlink\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_file_deletion_events_unlink\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_file_deletion_events_unlink:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_file_deletion_events_unlink_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-000366",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "CM-6 b",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_file_deletion_events",
+ "group_title": "Record File Deletion Events by User",
+ "group_description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_file_deletion_events_unlinkat_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.MA-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.2.7",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000467-GPOS-00211",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000468-GPOS-00212",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-VMM-001870",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000468-VMM-001890",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.MA-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.2.7",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000467-GPOS-00211",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000468-GPOS-00212",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-VMM-001870"
+ },
+ {
+ "ref": "SRG-OS-000468-VMM-001890"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure auditd Collects File Deletion Events by User - unlinkat",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat",
+ "desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "descriptions": [
+ {
+ "data": "Auditing file deletions will create an audit trail for files that are removed\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\nmalicious processes that attempt to delete log files to conceal their presence.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure auditd Collects File Deletion Events by User - unlinkat\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete\",\n \"-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete\"\n ],\n \"text\": \"At a minimum, the audit system should collect file deletion events\\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following line to a file with suffixin the\\ndirectory, setting ARCH to either b32 or b64 as\\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\\nappropriate for your system:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.MA-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.2.7\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000467-GPOS-00211\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000468-GPOS-00212\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-VMM-001870\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000468-VMM-001890\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Auditing file deletions will create an audit trail for files that are removed\\nfrom the system. The audit trail could aid in system troubleshooting, as well as, detecting\\nmalicious processes that attempt to delete log files to conceal their presence.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"unlinkat\\\"\\n\\tKEY=\\\"delete\\\"\\n\\tSYSCALL_GROUPING=\\\"unlink unlinkat rename renameat rmdir\\\"\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_file_deletion_events_unlinkat\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_unlinkat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit unlinkat tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_unlinkat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for unlinkat for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - unlinkat\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of unlinkat in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/delete.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - unlinkat\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of unlinkat in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_unlinkat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for unlinkat for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - unlinkat\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of unlinkat in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/delete.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/delete.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - unlinkat\\n syscall_grouping:\\n - unlink\\n - unlinkat\\n - rename\\n - renameat\\n - rmdir\\n\\n - name: Check existence of unlinkat in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=delete\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_file_deletion_events_unlinkat\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_file_deletion_events_unlinkat\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_file_deletion_events_unlinkat_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000172"
+ ],
+ "nist": [
+ "AU-12 c",
+ "AU-12 c."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_privileged_commands",
+ "group_title": "Record Information on the Use of Privileged Commands",
+ "group_description": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_privileged_commands_init",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_privileged_commands_init:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_privileged_commands_init_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000477-GPOS-00222",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_privileged_commands_init",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000477-GPOS-00222",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure auditd Collects Information on the Use of Privileged Commands - init",
+ "id": "xccdf_org.ssgproject.content_rule_audit_privileged_commands_init",
+ "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:",
+ "descriptions": [
+ {
+ "data": "Misuse of the init command may cause availability issues for the system.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure auditd Collects Information on the Use of Privileged Commands - init\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F path=/usr/sbin/init -F auid>=1000 -F auid!=unset -F key=privileged\",\n \"-a always,exit -F path=/usr/sbin/init -F auid>=1000 -F auid!=unset -F key=privileged\"\n ],\n \"text\": \"At a minimum, the audit system should collect the execution of\\nprivileged commands for all users and root. If thedaemon is\\nconfigured to use theprogram to read audit rules during\\ndaemon startup (the default), add a line of the following form to a file with\\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\\nform to:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000477-GPOS-00222\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Misuse of the init command may cause availability issues for the system.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nACTION_ARCH_FILTERS=\\\"-a always,exit\\\"\\nOTHER_FILTERS=\\\"-F path=/usr/sbin/init\\\"\\nAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\nSYSCALL=\\\"\\\"\\nKEY=\\\"privileged\\\"\\nSYSCALL_GROUPING=\\\"\\\"\\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\nunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\nunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_privileged_commands_init\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-53-AU-12(c)\\n - audit_privileged_commands_init\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for /usr/sbin/init\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls: []\\n syscall_grouping: []\\n\\n - name: Check existence of in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S |,)\\\\w+)* -F\\n path=/usr/sbin/init -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/privileged.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F path=/usr/sbin/init -F auid>=1000\\n -F auid!=unset (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/init -F auid>=1000\\n -F auid!=unset -F key=privileged\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls: []\\n syscall_grouping: []\\n\\n - name: Check existence of in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S |,)\\\\w+)* -F\\n path=/usr/sbin/init -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join(\\\"|\\\") }}))\\\\b)((?:(\\n -S |,)\\\\w+)+)( -F path=/usr/sbin/init -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/init -F auid>=1000\\n -F auid!=unset -F key=privileged\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AU-12(c)\\n - audit_privileged_commands_init\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"audit_privileged_commands_init\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_privileged_commands_init:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_privileged_commands_init_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_privileged_commands_init\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000172"
+ ],
+ "nist": [
+ "AU-12 c",
+ "AU-12 c."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_privileged_commands",
+ "group_title": "Record Information on the Use of Privileged Commands",
+ "group_description": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_privileged_commands_poweroff:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_privileged_commands_poweroff_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000477-GPOS-00222",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000477-GPOS-00222",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure auditd Collects Information on the Use of Privileged Commands - poweroff",
+ "id": "xccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff",
+ "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:",
+ "descriptions": [
+ {
+ "data": "Misuse of the poweroff command may cause availability issues for the system.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure auditd Collects Information on the Use of Privileged Commands - poweroff\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged\",\n \"-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged\"\n ],\n \"text\": \"At a minimum, the audit system should collect the execution of\\nprivileged commands for all users and root. If thedaemon is\\nconfigured to use theprogram to read audit rules during\\ndaemon startup (the default), add a line of the following form to a file with\\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\\nform to:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000477-GPOS-00222\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Misuse of the poweroff command may cause availability issues for the system.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nACTION_ARCH_FILTERS=\\\"-a always,exit\\\"\\nOTHER_FILTERS=\\\"-F path=/usr/sbin/poweroff\\\"\\nAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\nSYSCALL=\\\"\\\"\\nKEY=\\\"privileged\\\"\\nSYSCALL_GROUPING=\\\"\\\"\\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\nunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\nunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_privileged_commands_poweroff\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-53-AU-12(c)\\n - audit_privileged_commands_poweroff\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for /usr/sbin/poweroff\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls: []\\n syscall_grouping: []\\n\\n - name: Check existence of in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S |,)\\\\w+)* -F\\n path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/privileged.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F path=/usr/sbin/poweroff -F auid>=1000\\n -F auid!=unset (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/poweroff -F\\n auid>=1000 -F auid!=unset -F key=privileged\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls: []\\n syscall_grouping: []\\n\\n - name: Check existence of in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S |,)\\\\w+)* -F\\n path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join(\\\"|\\\") }}))\\\\b)((?:(\\n -S |,)\\\\w+)+)( -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/poweroff -F\\n auid>=1000 -F auid!=unset -F key=privileged\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AU-12(c)\\n - audit_privileged_commands_poweroff\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"audit_privileged_commands_poweroff\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_privileged_commands_poweroff:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_privileged_commands_poweroff_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000172"
+ ],
+ "nist": [
+ "AU-12 c",
+ "AU-12 c."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_privileged_commands",
+ "group_title": "Record Information on the Use of Privileged Commands",
+ "group_description": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_privileged_commands_reboot:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_privileged_commands_reboot_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000477-GPOS-00222",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000477-GPOS-00222",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure auditd Collects Information on the Use of Privileged Commands - reboot",
+ "id": "xccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot",
+ "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:",
+ "descriptions": [
+ {
+ "data": "Misuse of the reboot command may cause availability issues for the system.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure auditd Collects Information on the Use of Privileged Commands - reboot\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged\",\n \"-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged\"\n ],\n \"text\": \"At a minimum, the audit system should collect the execution of\\nprivileged commands for all users and root. If thedaemon is\\nconfigured to use theprogram to read audit rules during\\ndaemon startup (the default), add a line of the following form to a file with\\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\\nform to:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000477-GPOS-00222\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Misuse of the reboot command may cause availability issues for the system.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nACTION_ARCH_FILTERS=\\\"-a always,exit\\\"\\nOTHER_FILTERS=\\\"-F path=/usr/sbin/reboot\\\"\\nAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\nSYSCALL=\\\"\\\"\\nKEY=\\\"privileged\\\"\\nSYSCALL_GROUPING=\\\"\\\"\\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\nunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\nunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_privileged_commands_reboot\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-53-AU-12(c)\\n - audit_privileged_commands_reboot\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for /usr/sbin/reboot\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls: []\\n syscall_grouping: []\\n\\n - name: Check existence of in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S |,)\\\\w+)* -F\\n path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/privileged.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F path=/usr/sbin/reboot -F auid>=1000\\n -F auid!=unset (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/reboot -F auid>=1000\\n -F auid!=unset -F key=privileged\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls: []\\n syscall_grouping: []\\n\\n - name: Check existence of in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S |,)\\\\w+)* -F\\n path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join(\\\"|\\\") }}))\\\\b)((?:(\\n -S |,)\\\\w+)+)( -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/reboot -F auid>=1000\\n -F auid!=unset -F key=privileged\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AU-12(c)\\n - audit_privileged_commands_reboot\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"audit_privileged_commands_reboot\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_privileged_commands_reboot:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_privileged_commands_reboot_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000172"
+ ],
+ "nist": [
+ "AU-12 c",
+ "AU-12 c."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_privileged_commands",
+ "group_title": "Record Information on the Use of Privileged Commands",
+ "group_description": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_privileged_commands_shutdown:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_privileged_commands_shutdown_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000477-GPOS-00222",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000477-GPOS-00222",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure auditd Collects Information on the Use of Privileged Commands - shutdown",
+ "id": "xccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown",
+ "desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:",
+ "descriptions": [
+ {
+ "data": "Misuse of the shutdown command may cause availability issues for the system.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure auditd Collects Information on the Use of Privileged Commands - shutdown\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset -F key=privileged\",\n \"-a always,exit -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset -F key=privileged\"\n ],\n \"text\": \"At a minimum, the audit system should collect the execution of\\nprivileged commands for all users and root. If thedaemon is\\nconfigured to use theprogram to read audit rules during\\ndaemon startup (the default), add a line of the following form to a file with\\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\\nform to:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000477-GPOS-00222\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Misuse of the shutdown command may cause availability issues for the system.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nACTION_ARCH_FILTERS=\\\"-a always,exit\\\"\\nOTHER_FILTERS=\\\"-F path=/usr/sbin/shutdown\\\"\\nAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\nSYSCALL=\\\"\\\"\\nKEY=\\\"privileged\\\"\\nSYSCALL_GROUPING=\\\"\\\"\\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\nunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\nunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_privileged_commands_shutdown\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-53-AU-12(c)\\n - audit_privileged_commands_shutdown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for /usr/sbin/shutdown\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls: []\\n syscall_grouping: []\\n\\n - name: Check existence of in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S |,)\\\\w+)* -F\\n path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/privileged.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F path=/usr/sbin/shutdown -F auid>=1000\\n -F auid!=unset (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/shutdown -F\\n auid>=1000 -F auid!=unset -F key=privileged\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls: []\\n syscall_grouping: []\\n\\n - name: Check existence of in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S |,)\\\\w+)* -F\\n path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join(\\\"|\\\") }}))\\\\b)((?:(\\n -S |,)\\\\w+)+)( -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/shutdown -F\\n auid>=1000 -F auid!=unset -F key=privileged\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AU-12(c)\\n - audit_privileged_commands_shutdown\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"audit_privileged_commands_shutdown\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_privileged_commands_shutdown:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_privileged_commands_shutdown_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root. If thedaemon is\nconfigured to use theprogram to read audit rules during\ndaemon startup (the default), add a line of the following form to a file with\nsuffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform to:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002234"
+ ],
+ "nist": [
+ "AC-6 (9)",
+ "AC-2 (4)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "The audit system should collect information about usage of privileged\ncommands for all users and root. To find the relevant setuid /\nsetgid programs, run the following command for each local partition:If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add a line of\nthe following form to a file with suffixin the directoryfor each setuid / setgid program on the system,\nreplacing thepart with the full path of that setuid /\nsetgid program in the list:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform tofor each setuid / setgid program on the\nsystem, replacing thepart with the full path of that\nsetuid / setgid program in the list:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_privileged_commands",
+ "group_title": "Record Information on the Use of Privileged Commands",
+ "group_description": "At a minimum, the audit system should collect the execution of\nprivileged commands for all users and root.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_privileged_commands:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_privileged_commands_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO08.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-002234",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0582",
+ "href": ""
+ },
+ {
+ "text": "0584",
+ "href": ""
+ },
+ {
+ "text": "05885",
+ "href": ""
+ },
+ {
+ "text": "0586",
+ "href": ""
+ },
+ {
+ "text": "0846",
+ "href": ""
+ },
+ {
+ "text": "0957",
+ "href": ""
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-004-6 R2.2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R.1.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-2(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(9)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.DP-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.CO-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.2.2",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000327-GPOS-00127",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-VMM-001910",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO08.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-002234",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0582"
+ },
+ {
+ "ref": "0584"
+ },
+ {
+ "ref": "05885"
+ },
+ {
+ "ref": "0586"
+ },
+ {
+ "ref": "0846"
+ },
+ {
+ "ref": "0957"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R.1.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-2(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(9)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.DP-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.CO-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.2.2",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000327-GPOS-00127",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-VMM-001910"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure auditd Collects Information on the Use of Privileged Commands",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands",
+ "desc": "The audit system should collect information about usage of privileged\ncommands for all users and root. To find the relevant setuid /\nsetgid programs, run the following command for each local partition:If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add a line of\nthe following form to a file with suffixin the directoryfor each setuid / setgid program on the system,\nreplacing thepart with the full path of that setuid /\nsetgid program in the list:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform tofor each setuid / setgid program on the\nsystem, replacing thepart with the full path of that\nsetuid / setgid program in the list:",
+ "descriptions": [
+ {
+ "data": "Misuse of privileged functions, either intentionally or unintentionally by\nauthorized users, or by unauthorized external entities that have compromised system accounts,\nis a serious and ongoing concern and can have significant adverse impacts on organizations.\nAuditing the use of privileged functions is one way to detect such misuse and identify\nthe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,\nwhich attempt to subvert their normal role of providing some necessary but\nlimited capability. As such, motivation exists to monitor these programs for\nunusual activity.",
+ "label": "rationale"
+ },
+ {
+ "data": "This rule checks for multiple syscalls related to privileged commands;\nit was written with DISA STIG in mind. Other policies should use a\nseparate rule for each syscall that needs to be checked. For example:",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure auditd Collects Information on the Use of Privileged Commands\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"i\": [\n \"PART\",\n \"SETUID_PROG_PATH\",\n \"SETUID_PROG_PATH\"\n ],\n \"pre\": [\n {\n \"i\": \"PART\",\n \"text\": \"$ sudo find-xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null\"\n },\n {\n \"i\": \"SETUID_PROG_PATH\",\n \"text\": \"-a always,exit -F path=-F auid>=1000 -F auid!=unset -F key=privileged\"\n },\n {\n \"i\": \"SETUID_PROG_PATH\",\n \"text\": \"-a always,exit -F path=-F auid>=1000 -F auid!=unset -F key=privileged\"\n }\n ],\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"text\": \"The audit system should collect information about usage of privileged\\ncommands for all users and root. To find the relevant setuid /\\nsetgid programs, run the following command for each local partition:If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add a line of\\nthe following form to a file with suffixin the directoryfor each setuid / setgid program on the system,\\nreplacing thepart with the full path of that setuid /\\nsetgid program in the list:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\\nform tofor each setuid / setgid program on the\\nsystem, replacing thepart with the full path of that\\nsetuid / setgid program in the list:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"ul\": {\n \"li\": [\n {\n \"code\": \"audit_rules_privileged_commands_su\"\n },\n {\n \"code\": \"audit_rules_privileged_commands_umount\"\n },\n {\n \"code\": \"audit_rules_privileged_commands_passwd\"\n }\n ]\n },\n \"text\": \"This rule checks for multiple syscalls related to privileged commands;\\nit was written with DISA STIG in mind. Other policies should use a\\nseparate rule for each syscall that needs to be checked. For example:\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO08.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-002234\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0582\",\n \"href\": \"\"\n },\n {\n \"text\": \"0584\",\n \"href\": \"\"\n },\n {\n \"text\": \"05885\",\n \"href\": \"\"\n },\n {\n \"text\": \"0586\",\n \"href\": \"\"\n },\n {\n \"text\": \"0846\",\n \"href\": \"\"\n },\n {\n \"text\": \"0957\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R.1.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-2(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(9)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.DP-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.CO-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.2.2\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000327-GPOS-00127\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-VMM-001910\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"text\": \"Misuse of privileged functions, either intentionally or unintentionally by\\nauthorized users, or by unauthorized external entities that have compromised system accounts,\\nis a serious and ongoing concern and can have significant adverse impacts on organizations.\\nAuditing the use of privileged functions is one way to detect such misuse and identify\\nthe risk from insider and advanced persistent threats.Privileged programs are subject to escalation-of-privilege attacks,\\nwhich attempt to subvert their normal role of providing some necessary but\\nlimited capability. As such, motivation exists to monitor these programs for\\nunusual activity.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_privileged_commands:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_privileged_commands_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The audit system should collect information about usage of privileged\ncommands for all users and root. To find the relevant setuid /\nsetgid programs, run the following command for each local partition:If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add a line of\nthe following form to a file with suffixin the directoryfor each setuid / setgid program on the system,\nreplacing thepart with the full path of that setuid /\nsetgid program in the list:If thedaemon is configured to use theutility to read audit rules during daemon startup, add a line of the following\nform tofor each setuid / setgid program on the\nsystem, replacing thepart with the full path of that\nsetuid / setgid program in the list:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001487",
+ "CCI-000169"
+ ],
+ "nist": [
+ "AU-3 f",
+ "AU-12 a",
+ "AU-2 d.",
+ "AU-12 c.",
+ "AC-6 (9)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_time_rules",
+ "group_title": "Records Events that Modify Date and Time Information",
+ "group_description": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time. All changes to the system\ntime should be audited.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_time_adjtimex:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_time_adjtimex_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-001487",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(9)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.4.2.b",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-001487",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(9)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.4.2.b",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Record attempts to alter time through adjtimex",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex",
+ "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:",
+ "descriptions": [
+ {
+ "data": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Record attempts to alter time through adjtimex\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules\",\n \"-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules\",\n \"-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules\",\n \"-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules\",\n \"-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules\"\n ],\n \"text\": \"If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following line to a file with suffixin the\\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can be\\nused for better reporting capability through ausearch and aureport. Multiple\\nsystem calls can be defined on the same line to save space if desired, but is\\nnot required. See an example of multiple combined syscalls:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-001487\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(9)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.4.2.b\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Arbitrary changes to the system time can be used to obfuscate\\nnefarious activities in log files, as well as to confuse network services that\\nare highly dependent upon an accurate system time (such as sshd). All changes\\nto the system time should be audited.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n # Create expected audit group and audit rule form for particular system call & architecture\\n if [ ${ARCH} = \\\"b32\\\" ]\\n then\\n ACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n # stime system call is known at 32-bit arch (see e.g \\\"$ ausyscall i386 stime\\\" 's output)\\n # so append it to the list of time group system calls to be audited\\n SYSCALL=\\\"adjtimex settimeofday stime\\\"\\n SYSCALL_GROUPING=\\\"adjtimex settimeofday stime\\\"\\n elif [ ${ARCH} = \\\"b64\\\" ]\\n then\\n ACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n # stime system call isn't known at 64-bit arch (see \\\"$ ausyscall x86_64 stime\\\" 's output)\\n # therefore don't add it to the list of time group system calls to be audited\\n SYSCALL=\\\"adjtimex settimeofday\\\"\\n SYSCALL_GROUPING=\\\"adjtimex settimeofday\\\"\\n fi\\n OTHER_FILTERS=\\\"\\\"\\n AUID_FILTERS=\\\"\\\"\\n KEY=\\\"audit_time_rules\\\"\\n # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n unset syscall_a\\n unset syscall_grouping\\n unset syscall_string\\n unset syscall\\n unset file_to_edit\\n unset rule_to_edit\\n unset rule_syscalls_to_edit\\n unset other_string\\n unset auid_string\\n unset full_rule\\n\\n # Load macro arguments into arrays\\n read -a syscall_a <<< $SYSCALL\\n read -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n # Create a list of audit *.rules files that should be inspected for presence and correctness\\n # of a particular audit rule. The scheme is as follows:\\n #\\n # -----------------------------------------------------------------------------------------\\n # Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n # -----------------------------------------------------------------------------------------\\n # auditctl | Doesn't matter | /etc/audit/audit.rules |\\n # -----------------------------------------------------------------------------------------\\n # augenrules | Yes | /etc/audit/rules.d/*.rules |\\n # augenrules | No | /etc/audit/rules.d/$key.rules |\\n # -----------------------------------------------------------------------------------------\\n #\\n files_to_inspect=()\\n\\n\\n # If audit tool is 'augenrules', then check if the audit rule is defined\\n # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\n default_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n # As other_filters may include paths, lets use a different delimiter for it\\n # The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\n readarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\n if [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\n then\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\n fi\\n\\n # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\n skip=1\\n\\n for audit_file in \\\"${files_to_inspect[@]}\\\"\\n do\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\n done\\n\\n if [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\n fi\\n unset syscall_a\\n unset syscall_grouping\\n unset syscall_string\\n unset syscall\\n unset file_to_edit\\n unset rule_to_edit\\n unset rule_syscalls_to_edit\\n unset other_string\\n unset auid_string\\n unset full_rule\\n\\n # Load macro arguments into arrays\\n read -a syscall_a <<< $SYSCALL\\n read -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n # Create a list of audit *.rules files that should be inspected for presence and correctness\\n # of a particular audit rule. The scheme is as follows:\\n #\\n # -----------------------------------------------------------------------------------------\\n # Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n # -----------------------------------------------------------------------------------------\\n # auditctl | Doesn't matter | /etc/audit/audit.rules |\\n # -----------------------------------------------------------------------------------------\\n # augenrules | Yes | /etc/audit/rules.d/*.rules |\\n # augenrules | No | /etc/audit/rules.d/$key.rules |\\n # -----------------------------------------------------------------------------------------\\n #\\n files_to_inspect=()\\n\\n\\n\\n # If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n # file to the list of files to be inspected\\n default_file=\\\"/etc/audit/audit.rules\\\"\\n files_to_inspect+=('/etc/audit/audit.rules' )\\n\\n # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\n skip=1\\n\\n for audit_file in \\\"${files_to_inspect[@]}\\\"\\n do\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\n done\\n\\n if [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\n fi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_time_adjtimex\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_adjtimex\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Set architecture for audit tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_adjtimex\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for adjtimex for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - adjtimex\\n syscall_grouping:\\n - adjtimex\\n - settimeofday\\n - stime\\n\\n - name: Check existence of adjtimex in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/audit_time_rules.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - adjtimex\\n syscall_grouping:\\n - adjtimex\\n - settimeofday\\n - stime\\n\\n - name: Check existence of adjtimex in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_adjtimex\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for adjtimex for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - adjtimex\\n syscall_grouping:\\n - adjtimex\\n - settimeofday\\n\\n - name: Check existence of adjtimex in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/audit_time_rules.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - adjtimex\\n syscall_grouping:\\n - adjtimex\\n - settimeofday\\n - stime\\n\\n - name: Check existence of adjtimex in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_adjtimex\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"audit_rules_time_adjtimex\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_time_adjtimex:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_time_adjtimex_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001487",
+ "CCI-000169"
+ ],
+ "nist": [
+ "AU-3 f",
+ "AU-12 a",
+ "AU-2 d.",
+ "AU-12 c.",
+ "AC-6 (9)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can\nbe used for better reporting capability through ausearch and aureport.\nMultiple system calls can be defined on the same line to save space if\ndesired, but is not required. See an example of multiple combined syscalls:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_time_rules",
+ "group_title": "Records Events that Modify Date and Time Information",
+ "group_description": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time. All changes to the system\ntime should be audited.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_time_clock_settime:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-001487",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(9)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.4.2.b",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-001487",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(9)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.4.2.b",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Attempts to Alter Time Through clock_settime",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime",
+ "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can\nbe used for better reporting capability through ausearch and aureport.\nMultiple system calls can be defined on the same line to save space if\ndesired, but is not required. See an example of multiple combined syscalls:",
+ "descriptions": [
+ {
+ "data": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Attempts to Alter Time Through clock_settime\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change\",\n \"-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change\",\n \"-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change\",\n \"-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change\",\n \"-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules\"\n ],\n \"text\": \"If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following line to a file with suffixin the\\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can\\nbe used for better reporting capability through ausearch and aureport.\\nMultiple system calls can be defined on the same line to save space if\\ndesired, but is not required. See an example of multiple combined syscalls:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-001487\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(9)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.4.2.b\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Arbitrary changes to the system time can be used to obfuscate\\nnefarious activities in log files, as well as to confuse network services that\\nare highly dependent upon an accurate system time (such as sshd). All changes\\nto the system time should be audited.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"-F a0=0x0\\\"\\n\\tAUID_FILTERS=\\\"\\\"\\n\\tSYSCALL=\\\"clock_settime\\\"\\n\\tKEY=\\\"time-change\\\"\\n\\tSYSCALL_GROUPING=\\\"\\\"\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_time_clock_settime\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_clock_settime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Set architecture for audit tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_clock_settime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for clock_settime for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - clock_settime\\n syscall_grouping: []\\n\\n - name: Check existence of clock_settime in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F a0=0x0 (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/time-change.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F a0=0x0 (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F\\n key=time-change\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - clock_settime\\n syscall_grouping: []\\n\\n - name: Check existence of clock_settime in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F a0=0x0 (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F a0=0x0 (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F\\n key=time-change\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_clock_settime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for clock_settime for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - clock_settime\\n syscall_grouping: []\\n\\n - name: Check existence of clock_settime in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F a0=0x0 (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/time-change.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F a0=0x0 (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F\\n key=time-change\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - clock_settime\\n syscall_grouping: []\\n\\n - name: Check existence of clock_settime in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F a0=0x0 (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F a0=0x0 (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F\\n key=time-change\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_clock_settime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"audit_rules_time_clock_settime\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_time_clock_settime:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can\nbe used for better reporting capability through ausearch and aureport.\nMultiple system calls can be defined on the same line to save space if\ndesired, but is not required. See an example of multiple combined syscalls:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001487",
+ "CCI-000169"
+ ],
+ "nist": [
+ "AU-3 f",
+ "AU-12 a",
+ "AU-2 d.",
+ "AU-12 c.",
+ "AC-6 (9)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_time_rules",
+ "group_title": "Records Events that Modify Date and Time Information",
+ "group_description": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time. All changes to the system\ntime should be audited.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_time_settimeofday:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_time_settimeofday_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-001487",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(9)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.4.2.b",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-001487",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(9)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.4.2.b",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Record attempts to alter time through settimeofday",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday",
+ "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:",
+ "descriptions": [
+ {
+ "data": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record attempts to alter time through settimeofday\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules\",\n \"-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules\",\n \"-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules\",\n \"-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules\",\n \"-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules\"\n ],\n \"text\": \"If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following line to a file with suffixin the\\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can be\\nused for better reporting capability through ausearch and aureport. Multiple\\nsystem calls can be defined on the same line to save space if desired, but is\\nnot required. See an example of multiple combined syscalls:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-001487\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(9)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.4.2.b\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Arbitrary changes to the system time can be used to obfuscate\\nnefarious activities in log files, as well as to confuse network services that\\nare highly dependent upon an accurate system time (such as sshd). All changes\\nto the system time should be audited.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n # Create expected audit group and audit rule form for particular system call & architecture\\n if [ ${ARCH} = \\\"b32\\\" ]\\n then\\n ACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n # stime system call is known at 32-bit arch (see e.g \\\"$ ausyscall i386 stime\\\" 's output)\\n # so append it to the list of time group system calls to be audited\\n SYSCALL=\\\"adjtimex settimeofday stime\\\"\\n SYSCALL_GROUPING=\\\"adjtimex settimeofday stime\\\"\\n elif [ ${ARCH} = \\\"b64\\\" ]\\n then\\n ACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n # stime system call isn't known at 64-bit arch (see \\\"$ ausyscall x86_64 stime\\\" 's output)\\n # therefore don't add it to the list of time group system calls to be audited\\n SYSCALL=\\\"adjtimex settimeofday\\\"\\n SYSCALL_GROUPING=\\\"adjtimex settimeofday\\\"\\n fi\\n OTHER_FILTERS=\\\"\\\"\\n AUID_FILTERS=\\\"\\\"\\n KEY=\\\"audit_time_rules\\\"\\n # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n unset syscall_a\\n unset syscall_grouping\\n unset syscall_string\\n unset syscall\\n unset file_to_edit\\n unset rule_to_edit\\n unset rule_syscalls_to_edit\\n unset other_string\\n unset auid_string\\n unset full_rule\\n\\n # Load macro arguments into arrays\\n read -a syscall_a <<< $SYSCALL\\n read -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n # Create a list of audit *.rules files that should be inspected for presence and correctness\\n # of a particular audit rule. The scheme is as follows:\\n #\\n # -----------------------------------------------------------------------------------------\\n # Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n # -----------------------------------------------------------------------------------------\\n # auditctl | Doesn't matter | /etc/audit/audit.rules |\\n # -----------------------------------------------------------------------------------------\\n # augenrules | Yes | /etc/audit/rules.d/*.rules |\\n # augenrules | No | /etc/audit/rules.d/$key.rules |\\n # -----------------------------------------------------------------------------------------\\n #\\n files_to_inspect=()\\n\\n\\n # If audit tool is 'augenrules', then check if the audit rule is defined\\n # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\n default_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n # As other_filters may include paths, lets use a different delimiter for it\\n # The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\n readarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\n if [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\n then\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\n fi\\n\\n # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\n skip=1\\n\\n for audit_file in \\\"${files_to_inspect[@]}\\\"\\n do\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\n done\\n\\n if [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\n fi\\n unset syscall_a\\n unset syscall_grouping\\n unset syscall_string\\n unset syscall\\n unset file_to_edit\\n unset rule_to_edit\\n unset rule_syscalls_to_edit\\n unset other_string\\n unset auid_string\\n unset full_rule\\n\\n # Load macro arguments into arrays\\n read -a syscall_a <<< $SYSCALL\\n read -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n # Create a list of audit *.rules files that should be inspected for presence and correctness\\n # of a particular audit rule. The scheme is as follows:\\n #\\n # -----------------------------------------------------------------------------------------\\n # Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n # -----------------------------------------------------------------------------------------\\n # auditctl | Doesn't matter | /etc/audit/audit.rules |\\n # -----------------------------------------------------------------------------------------\\n # augenrules | Yes | /etc/audit/rules.d/*.rules |\\n # augenrules | No | /etc/audit/rules.d/$key.rules |\\n # -----------------------------------------------------------------------------------------\\n #\\n files_to_inspect=()\\n\\n\\n\\n # If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n # file to the list of files to be inspected\\n default_file=\\\"/etc/audit/audit.rules\\\"\\n files_to_inspect+=('/etc/audit/audit.rules' )\\n\\n # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\n skip=1\\n\\n for audit_file in \\\"${files_to_inspect[@]}\\\"\\n do\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\n done\\n\\n if [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\n fi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_time_settimeofday\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_settimeofday\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Set architecture for audit tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_settimeofday\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for settimeofday for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - settimeofday\\n syscall_grouping:\\n - adjtimex\\n - settimeofday\\n - stime\\n\\n - name: Check existence of settimeofday in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/audit_time_rules.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - settimeofday\\n syscall_grouping:\\n - adjtimex\\n - settimeofday\\n - stime\\n\\n - name: Check existence of settimeofday in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_settimeofday\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for settimeofday for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - settimeofday\\n syscall_grouping:\\n - adjtimex\\n - settimeofday\\n - stime\\n\\n - name: Check existence of settimeofday in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/audit_time_rules.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - settimeofday\\n syscall_grouping:\\n - adjtimex\\n - settimeofday\\n - stime\\n\\n - name: Check existence of settimeofday in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_settimeofday\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"audit_rules_time_settimeofday\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_time_settimeofday:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_time_settimeofday_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If the system is 64 bit then also add the following line:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:If the system is 64 bit then also add the following line:The -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001487",
+ "CCI-000169"
+ ],
+ "nist": [
+ "AU-3 f",
+ "AU-12 a",
+ "AU-2 d.",
+ "AU-12 c.",
+ "AC-6 (9)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectoryfor both 32 bit and 64 bit systems:Since the 64 bit version of the \"stime\" system call is not defined in the audit\nlookup table, the corresponding \"-F arch=b64\" form of this rule is not expected\nto be defined on 64 bit systems (the aforementioned \"-F arch=b32\" stime rule\nform itself is sufficient for both 32 bit and 64 bit systems). If thedaemon is configured to use theutility to\nread audit rules during daemon startup, add the following line tofile for both 32 bit and 64 bit systems:Since the 64 bit version of the \"stime\" system call is not defined in the audit\nlookup table, the corresponding \"-F arch=b64\" form of this rule is not expected\nto be defined on 64 bit systems (the aforementioned \"-F arch=b32\" stime rule\nform itself is sufficient for both 32 bit and 64 bit systems). The -k option\nallows for the specification of a key in string form that can be used for\nbetter reporting capability through ausearch and aureport. Multiple system\ncalls can be defined on the same line to save space if desired, but is not\nrequired. See an example of multiple combined system calls:",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_time_rules",
+ "group_title": "Records Events that Modify Date and Time Information",
+ "group_description": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time. All changes to the system\ntime should be audited.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_time_stime",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_time_stime:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_time_stime_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-001487",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(9)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.4.2.b",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_time_stime",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-001487",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(9)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.4.2.b",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Attempts to Alter Time Through stime",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_time_stime",
+ "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectoryfor both 32 bit and 64 bit systems:Since the 64 bit version of the \"stime\" system call is not defined in the audit\nlookup table, the corresponding \"-F arch=b64\" form of this rule is not expected\nto be defined on 64 bit systems (the aforementioned \"-F arch=b32\" stime rule\nform itself is sufficient for both 32 bit and 64 bit systems). If thedaemon is configured to use theutility to\nread audit rules during daemon startup, add the following line tofile for both 32 bit and 64 bit systems:Since the 64 bit version of the \"stime\" system call is not defined in the audit\nlookup table, the corresponding \"-F arch=b64\" form of this rule is not expected\nto be defined on 64 bit systems (the aforementioned \"-F arch=b32\" stime rule\nform itself is sufficient for both 32 bit and 64 bit systems). The -k option\nallows for the specification of a key in string form that can be used for\nbetter reporting capability through ausearch and aureport. Multiple system\ncalls can be defined on the same line to save space if desired, but is not\nrequired. See an example of multiple combined system calls:",
+ "descriptions": [
+ {
+ "data": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Attempts to Alter Time Through stime\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=b32 -S stime -F key=audit_time_rules\",\n \"-a always,exit -F arch=b32 -S stime -F key=audit_time_rules\",\n \"-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules\"\n ],\n \"text\": \"If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following line to a file with suffixin the\\ndirectoryfor both 32 bit and 64 bit systems:Since the 64 bit version of the \\\"stime\\\" system call is not defined in the audit\\nlookup table, the corresponding \\\"-F arch=b64\\\" form of this rule is not expected\\nto be defined on 64 bit systems (the aforementioned \\\"-F arch=b32\\\" stime rule\\nform itself is sufficient for both 32 bit and 64 bit systems). If thedaemon is configured to use theutility to\\nread audit rules during daemon startup, add the following line tofile for both 32 bit and 64 bit systems:Since the 64 bit version of the \\\"stime\\\" system call is not defined in the audit\\nlookup table, the corresponding \\\"-F arch=b64\\\" form of this rule is not expected\\nto be defined on 64 bit systems (the aforementioned \\\"-F arch=b32\\\" stime rule\\nform itself is sufficient for both 32 bit and 64 bit systems). The -k option\\nallows for the specification of a key in string form that can be used for\\nbetter reporting capability through ausearch and aureport. Multiple system\\ncalls can be defined on the same line to save space if desired, but is not\\nrequired. See an example of multiple combined system calls:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-001487\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(9)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.4.2.b\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Arbitrary changes to the system time can be used to obfuscate\\nnefarious activities in log files, as well as to confuse network services that\\nare highly dependent upon an accurate system time (such as sshd). All changes\\nto the system time should be audited.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n # Create expected audit group and audit rule form for particular system call & architecture\\n if [ ${ARCH} = \\\"b32\\\" ]\\n then\\n ACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n # stime system call is known at 32-bit arch (see e.g \\\"$ ausyscall i386 stime\\\" 's output)\\n # so append it to the list of time group system calls to be audited\\n SYSCALL=\\\"adjtimex settimeofday stime\\\"\\n SYSCALL_GROUPING=\\\"adjtimex settimeofday stime\\\"\\n elif [ ${ARCH} = \\\"b64\\\" ]\\n then\\n ACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n # stime system call isn't known at 64-bit arch (see \\\"$ ausyscall x86_64 stime\\\" 's output)\\n # therefore don't add it to the list of time group system calls to be audited\\n SYSCALL=\\\"adjtimex settimeofday\\\"\\n SYSCALL_GROUPING=\\\"adjtimex settimeofday\\\"\\n fi\\n OTHER_FILTERS=\\\"\\\"\\n AUID_FILTERS=\\\"\\\"\\n KEY=\\\"audit_time_rules\\\"\\n # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n unset syscall_a\\n unset syscall_grouping\\n unset syscall_string\\n unset syscall\\n unset file_to_edit\\n unset rule_to_edit\\n unset rule_syscalls_to_edit\\n unset other_string\\n unset auid_string\\n unset full_rule\\n\\n # Load macro arguments into arrays\\n read -a syscall_a <<< $SYSCALL\\n read -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n # Create a list of audit *.rules files that should be inspected for presence and correctness\\n # of a particular audit rule. The scheme is as follows:\\n #\\n # -----------------------------------------------------------------------------------------\\n # Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n # -----------------------------------------------------------------------------------------\\n # auditctl | Doesn't matter | /etc/audit/audit.rules |\\n # -----------------------------------------------------------------------------------------\\n # augenrules | Yes | /etc/audit/rules.d/*.rules |\\n # augenrules | No | /etc/audit/rules.d/$key.rules |\\n # -----------------------------------------------------------------------------------------\\n #\\n files_to_inspect=()\\n\\n\\n # If audit tool is 'augenrules', then check if the audit rule is defined\\n # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\n default_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n # As other_filters may include paths, lets use a different delimiter for it\\n # The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\n readarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\n if [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\n then\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\n fi\\n\\n # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\n skip=1\\n\\n for audit_file in \\\"${files_to_inspect[@]}\\\"\\n do\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\n done\\n\\n if [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\n fi\\n unset syscall_a\\n unset syscall_grouping\\n unset syscall_string\\n unset syscall\\n unset file_to_edit\\n unset rule_to_edit\\n unset rule_syscalls_to_edit\\n unset other_string\\n unset auid_string\\n unset full_rule\\n\\n # Load macro arguments into arrays\\n read -a syscall_a <<< $SYSCALL\\n read -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n # Create a list of audit *.rules files that should be inspected for presence and correctness\\n # of a particular audit rule. The scheme is as follows:\\n #\\n # -----------------------------------------------------------------------------------------\\n # Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n # -----------------------------------------------------------------------------------------\\n # auditctl | Doesn't matter | /etc/audit/audit.rules |\\n # -----------------------------------------------------------------------------------------\\n # augenrules | Yes | /etc/audit/rules.d/*.rules |\\n # augenrules | No | /etc/audit/rules.d/$key.rules |\\n # -----------------------------------------------------------------------------------------\\n #\\n files_to_inspect=()\\n\\n\\n\\n # If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n # file to the list of files to be inspected\\n default_file=\\\"/etc/audit/audit.rules\\\"\\n files_to_inspect+=('/etc/audit/audit.rules' )\\n\\n # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\n skip=1\\n\\n for audit_file in \\\"${files_to_inspect[@]}\\\"\\n do\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\n done\\n\\n if [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\n fi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_time_stime\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_stime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for stime syscall for x86 platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - stime\\n syscall_grouping:\\n - adjtimex\\n - settimeofday\\n - stime\\n\\n - name: Check existence of stime in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/audit_time_rules.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - stime\\n syscall_grouping:\\n - adjtimex\\n - settimeofday\\n - stime\\n\\n - name: Check existence of stime in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( (?:-k |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_stime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"audit_rules_time_stime\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_time_stime:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_time_stime_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_time_stime\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectoryfor both 32 bit and 64 bit systems:Since the 64 bit version of the \"stime\" system call is not defined in the audit\nlookup table, the corresponding \"-F arch=b64\" form of this rule is not expected\nto be defined on 64 bit systems (the aforementioned \"-F arch=b32\" stime rule\nform itself is sufficient for both 32 bit and 64 bit systems). If thedaemon is configured to use theutility to\nread audit rules during daemon startup, add the following line tofile for both 32 bit and 64 bit systems:Since the 64 bit version of the \"stime\" system call is not defined in the audit\nlookup table, the corresponding \"-F arch=b64\" form of this rule is not expected\nto be defined on 64 bit systems (the aforementioned \"-F arch=b32\" stime rule\nform itself is sufficient for both 32 bit and 64 bit systems). The -k option\nallows for the specification of a key in string form that can be used for\nbetter reporting capability through ausearch and aureport. Multiple system\ncalls can be defined on the same line to save space if desired, but is not\nrequired. See an example of multiple combined system calls:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001487",
+ "CCI-000169"
+ ],
+ "nist": [
+ "AU-3 f",
+ "AU-12 a",
+ "AU-2 d.",
+ "AU-12 c.",
+ "AC-6 (9)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default),\nadd the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:The -k option allows for the specification of a key in string form that can\nbe used for better reporting capability through ausearch and aureport and\nshould always be used.",
+ "group_id": "xccdf_org.ssgproject.content_group_audit_time_rules",
+ "group_title": "Records Events that Modify Date and Time Information",
+ "group_description": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time. All changes to the system\ntime should be audited.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_time_watch_localtime:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-001487",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(9)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.4.2.b",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-001487",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(9)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.4.2.b",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Attempts to Alter the localtime File",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime",
+ "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default),\nadd the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:The -k option allows for the specification of a key in string form that can\nbe used for better reporting capability through ausearch and aureport and\nshould always be used.",
+ "descriptions": [
+ {
+ "data": "Arbitrary changes to the system time can be used to obfuscate\nnefarious activities in log files, as well as to confuse network services that\nare highly dependent upon an accurate system time (such as sshd). All changes\nto the system time should be audited.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Attempts to Alter the localtime File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-w /etc/localtime -p wa -k audit_time_rules\",\n \"-w /etc/localtime -p wa -k audit_time_rules\"\n ],\n \"text\": \"If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default),\\nadd the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:The -k option allows for the specification of a key in string form that can\\nbe used for better reporting capability through ausearch and aureport and\\nshould always be used.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-001487\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(9)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.4.2.b\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Arbitrary changes to the system time can be used to obfuscate\\nnefarious activities in log files, as well as to confuse network services that\\nare highly dependent upon an accurate system time (such as sshd). All changes\\nto the system time should be audited.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n\\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# into the list of files to be inspected\\nfiles_to_inspect+=('/etc/audit/audit.rules')\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/localtime\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/localtime $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/localtime$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/localtime -p wa -k audit_time_rules\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n# If the audit is 'augenrules', then check if rule is already defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\\n# If rule isn't defined, add '/etc/audit/rules.d/audit_time_rules.rules' to list of files for inspection.\\nreadarray -t matches < <(grep -HP \\\"[\\\\s]*-w[\\\\s]+/etc/localtime\\\" /etc/audit/rules.d/*.rules)\\n\\n# For each of the matched entries\\nfor match in \\\"${matches[@]}\\\"\\ndo\\n # Extract filepath from the match\\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\\n # Append that path into list of files for inspection\\n files_to_inspect+=(\\\"$rulesd_audit_file\\\")\\ndone\\n# Case when particular audit rule isn't defined yet\\nif [ \\\"${#files_to_inspect[@]}\\\" -eq \\\"0\\\" ]\\nthen\\n # Append '/etc/audit/rules.d/audit_time_rules.rules' into list of files for inspection\\n key_rule_file=\\\"/etc/audit/rules.d/audit_time_rules.rules\\\"\\n # If the audit_time_rules.rules file doesn't exist yet, create it with correct permissions\\n if [ ! -e \\\"$key_rule_file\\\" ]\\n then\\n touch \\\"$key_rule_file\\\"\\n chmod 0640 \\\"$key_rule_file\\\"\\n fi\\n files_to_inspect+=(\\\"$key_rule_file\\\")\\nfi\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/localtime\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/localtime $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/localtime$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/localtime -p wa -k audit_time_rules\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_time_watch_localtime\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_watch_localtime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: ^\\\\s*-w\\\\s+/etc/localtime\\\\s+-p\\\\s+wa(\\\\s|$)+\\n patterns: '*.rules'\\n register: find_existing_watch_rules_d\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_watch_localtime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules\\n find:\\n paths: /etc/audit/rules.d\\n contains: ^.*(?:-F key=|-k\\\\s+)audit_time_rules$\\n patterns: '*.rules'\\n register: find_watch_key\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched\\n == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_watch_localtime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule\\n set_fact:\\n all_files:\\n - /etc/audit/rules.d/audit_time_rules.rules\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched\\n is defined and find_existing_watch_rules_d.matched == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_watch_localtime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Use matched file as the recipient for the rule\\n set_fact:\\n all_files:\\n - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched\\n is defined and find_existing_watch_rules_d.matched == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_watch_localtime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/\\n lineinfile:\\n path: '{{ all_files[0] }}'\\n line: -w /etc/localtime -p wa -k audit_time_rules\\n create: true\\n mode: '0640'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched\\n == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_watch_localtime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit/\\n contains: ^\\\\s*-w\\\\s+/etc/localtime\\\\s+-p\\\\s+wa(\\\\s|$)+\\n patterns: audit.rules\\n register: find_existing_watch_audit_rules\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_watch_localtime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules\\n lineinfile:\\n line: -w /etc/localtime -p wa -k audit_time_rules\\n state: present\\n dest: /etc/audit/audit.rules\\n create: true\\n mode: '0640'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched\\n == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.2.b\\n - audit_rules_time_watch_localtime\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"audit_rules_time_watch_localtime\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_time_watch_localtime:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default),\nadd the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:The -k option allows for the specification of a key in string form that can\nbe used for better reporting capability through ausearch and aureport and\nshould always be used.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000162",
+ "CCI-000163",
+ "CCI-000164"
+ ],
+ "nist": [
+ "AU-9 a",
+ "AC-6 (9)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectoryin order to make the auditd configuration\nimmutable:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile in order to make the auditd configuration\nimmutable:With this setting, a reboot will be required to change any audit rules.",
+ "group_id": "xccdf_org.ssgproject.content_group_auditd_configure_rules",
+ "group_title": "Configure auditd Rules for Comprehensive Auditing",
+ "group_description": "Theprogram can perform comprehensive\nmonitoring of system activity. This section describes recommended\nconfiguration settings for comprehensive auditing, but a full\ndescription of the auditing system's capabilities is beyond the\nscope of this guide. The mailing listexists\nto facilitate community discussion of the auditing system.The audit subsystem supports extensive collection of events, including:Auditing rules at startup are controlled by the file.\nAdd rules to it to meet the auditing requirements for your organization.\nEach line inrepresents a series of arguments\nthat can be passed toand can be individually tested\nduring runtime. See documentation inand\nin the related man pages for more details.If copying any example audit rulesets from,\nbe sure to comment out the\nlines containingwhich are not appropriate for your system's\narchitecture. Then review and understand the following rules,\nensuring rules are activated as needed for the appropriate\narchitecture.After reviewing all the rules, reading the following sections, and\nediting as needed, the new rules can be activated as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_immutable",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_immutable:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_immutable_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.3.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.4.3",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000162",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000163",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000164",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(iv)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-6(9)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.5.2",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000057-GPOS-00027",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000058-GPOS-00028",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000059-GPOS-00029",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_immutable",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.3.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.4.3",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000162",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000163",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000164",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(iv)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-6(9)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.5.2",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000057-GPOS-00027",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000058-GPOS-00028",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000059-GPOS-00029",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Make the auditd Configuration Immutable",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_immutable",
+ "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectoryin order to make the auditd configuration\nimmutable:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile in order to make the auditd configuration\nimmutable:With this setting, a reboot will be required to change any audit rules.",
+ "descriptions": [
+ {
+ "data": "Making the audit configuration immutable prevents accidental as\nwell as malicious modification of the audit rules, although it may be\nproblematic if legitimate changes are needed during system\noperation.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Make the auditd Configuration Immutable\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-e 2\",\n \"-e 2\"\n ],\n \"text\": \"If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following line to a file with suffixin the\\ndirectoryin order to make the auditd configuration\\nimmutable:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile in order to make the auditd configuration\\nimmutable:With this setting, a reboot will be required to change any audit rules.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.3.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.4.3\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000162\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000163\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000164\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(iv)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-6(9)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.5.2\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000057-GPOS-00027\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000058-GPOS-00028\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000059-GPOS-00029\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Making the audit configuration immutable prevents accidental as\\nwell as malicious modification of the audit rules, although it may be\\nproblematic if legitimate changes are needed during system\\noperation.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# Traverse all of:\\n#\\n# /etc/audit/audit.rules,\\t\\t\\t(for auditctl case)\\n# /etc/audit/rules.d/*.rules\\t\\t\\t(for augenrules case)\\n#\\n# files to check if '-e .*' setting is present in that '*.rules' file already.\\n# If found, delete such occurrence since auditctl(8) manual page instructs the\\n# '-e 2' rule should be placed as the last rule in the configuration\\nfind /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\\\\+.*/d' {} ';'\\n\\n# Append '-e 2' requirement at the end of both:\\n# * /etc/audit/audit.rules file \\t\\t(for auditctl case)\\n# * /etc/audit/rules.d/immutable.rules\\t\\t(for augenrules case)\\n\\nfor AUDIT_FILE in \\\"/etc/audit/audit.rules\\\" \\\"/etc/audit/rules.d/immutable.rules\\\"\\ndo\\n\\techo '' >> $AUDIT_FILE\\n\\techo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE\\n\\techo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE\\n\\techo '-e 2' >> $AUDIT_FILE\\n\\tchmod o-rwx $AUDIT_FILE\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_immutable\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.3.1\\n - NIST-800-171-3.4.3\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.2\\n - audit_rules_immutable\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Collect all files from /etc/audit/rules.d with .rules extension\\n find:\\n paths: /etc/audit/rules.d/\\n patterns: '*.rules'\\n register: find_rules_d\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.3.1\\n - NIST-800-171-3.4.3\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.2\\n - audit_rules_immutable\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Remove the -e option from all Audit config files\\n lineinfile:\\n path: '{{ item }}'\\n regexp: ^\\\\s*(?:-e)\\\\s+.*$\\n state: absent\\n loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules'']\\n }}'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.3.1\\n - NIST-800-171-3.4.3\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.2\\n - audit_rules_immutable\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules\\n lineinfile:\\n path: '{{ item }}'\\n create: true\\n line: -e 2\\n mode: o-rwx\\n loop:\\n - /etc/audit/audit.rules\\n - /etc/audit/rules.d/immutable.rules\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.3.1\\n - NIST-800-171-3.4.3\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.2\\n - audit_rules_immutable\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_immutable\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_immutable:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_immutable_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_immutable\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectoryin order to make the auditd configuration\nimmutable:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile in order to make the auditd configuration\nimmutable:With this setting, a reboot will be required to change any audit rules.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:",
+ "group_id": "xccdf_org.ssgproject.content_group_auditd_configure_rules",
+ "group_title": "Configure auditd Rules for Comprehensive Auditing",
+ "group_description": "Theprogram can perform comprehensive\nmonitoring of system activity. This section describes recommended\nconfiguration settings for comprehensive auditing, but a full\ndescription of the auditing system's capabilities is beyond the\nscope of this guide. The mailing listexists\nto facilitate community discussion of the auditing system.The audit subsystem supports extensive collection of events, including:Auditing rules at startup are controlled by the file.\nAdd rules to it to meet the auditing requirements for your organization.\nEach line inrepresents a series of arguments\nthat can be passed toand can be individually tested\nduring runtime. See documentation inand\nin the related man pages for more details.If copying any example audit rulesets from,\nbe sure to comment out the\nlines containingwhich are not appropriate for your system's\narchitecture. Then review and understand the following rules,\nensuring rules are activated as needed for the appropriate\narchitecture.After reviewing all the rules, reading the following sections, and\nediting as needed, the new rules can be activated as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_mac_modification",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_mac_modification:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_mac_modification_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "audit_rules_mac_modification",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.8",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_mac_modification",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.8",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Mandatory Access Controls",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_mac_modification",
+ "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# into the list of files to be inspected\nfiles_to_inspect+=('/etc/audit/audit.rules')\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/etc/selinux/\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/etc/selinux/ $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/etc/selinux/$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /etc/selinux/ -p wa -k MAC-policy\" >> \"$audit_rules_file\"\n fi\ndone\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n# If the audit is 'augenrules', then check if rule is already defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\n# If rule isn't defined, add '/etc/audit/rules.d/MAC-policy.rules' to list of files for inspection.\nreadarray -t matches < <(grep -HP \"[\\s]*-w[\\s]+/etc/selinux/\" /etc/audit/rules.d/*.rules)\n\n# For each of the matched entries\nfor match in \"${matches[@]}\"\ndo\n # Extract filepath from the match\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\n # Append that path into list of files for inspection\n files_to_inspect+=(\"$rulesd_audit_file\")\ndone\n# Case when particular audit rule isn't defined yet\nif [ \"${#files_to_inspect[@]}\" -eq \"0\" ]\nthen\n # Append '/etc/audit/rules.d/MAC-policy.rules' into list of files for inspection\n key_rule_file=\"/etc/audit/rules.d/MAC-policy.rules\"\n # If the MAC-policy.rules file doesn't exist yet, create it with correct permissions\n if [ ! -e \"$key_rule_file\" ]\n then\n touch \"$key_rule_file\"\n chmod 0640 \"$key_rule_file\"\n fi\n files_to_inspect+=(\"$key_rule_file\")\nfi\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/etc/selinux/\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/etc/selinux/ $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/etc/selinux/$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /etc/selinux/ -p wa -k MAC-policy\" >> \"$audit_rules_file\"\n fi\ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "The system's mandatory access policy (SELinux) should not be\narbitrarily changed by anything other than administrator action. All changes to\nMAC policy should be audited.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Mandatory Access Controls\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-w /etc/selinux/ -p wa -k MAC-policy\",\n \"-w /etc/selinux/ -p wa -k MAC-policy\"\n ],\n \"text\": \"If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following line to a file with suffixin the\\ndirectory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.8\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"The system's mandatory access policy (SELinux) should not be\\narbitrarily changed by anything other than administrator action. All changes to\\nMAC policy should be audited.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n\\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# into the list of files to be inspected\\nfiles_to_inspect+=('/etc/audit/audit.rules')\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/selinux/\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/selinux/ $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/selinux/$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/selinux/ -p wa -k MAC-policy\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n# If the audit is 'augenrules', then check if rule is already defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\\n# If rule isn't defined, add '/etc/audit/rules.d/MAC-policy.rules' to list of files for inspection.\\nreadarray -t matches < <(grep -HP \\\"[\\\\s]*-w[\\\\s]+/etc/selinux/\\\" /etc/audit/rules.d/*.rules)\\n\\n# For each of the matched entries\\nfor match in \\\"${matches[@]}\\\"\\ndo\\n # Extract filepath from the match\\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\\n # Append that path into list of files for inspection\\n files_to_inspect+=(\\\"$rulesd_audit_file\\\")\\ndone\\n# Case when particular audit rule isn't defined yet\\nif [ \\\"${#files_to_inspect[@]}\\\" -eq \\\"0\\\" ]\\nthen\\n # Append '/etc/audit/rules.d/MAC-policy.rules' into list of files for inspection\\n key_rule_file=\\\"/etc/audit/rules.d/MAC-policy.rules\\\"\\n # If the MAC-policy.rules file doesn't exist yet, create it with correct permissions\\n if [ ! -e \\\"$key_rule_file\\\" ]\\n then\\n touch \\\"$key_rule_file\\\"\\n chmod 0640 \\\"$key_rule_file\\\"\\n fi\\n files_to_inspect+=(\\\"$key_rule_file\\\")\\nfi\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/selinux/\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/selinux/ $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/selinux/$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/selinux/ -p wa -k MAC-policy\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_mac_modification\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_mac_modification:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_mac_modification_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_mac_modification\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffixin the\ndirectory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AU-2 d.",
+ "AU-12 c.",
+ "AC-6 (9)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect media exportation\nevents for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "group_id": "xccdf_org.ssgproject.content_group_auditd_configure_rules",
+ "group_title": "Configure auditd Rules for Comprehensive Auditing",
+ "group_description": "Theprogram can perform comprehensive\nmonitoring of system activity. This section describes recommended\nconfiguration settings for comprehensive auditing, but a full\ndescription of the auditing system's capabilities is beyond the\nscope of this guide. The mailing listexists\nto facilitate community discussion of the auditing system.The audit subsystem supports extensive collection of events, including:Auditing rules at startup are controlled by the file.\nAdd rules to it to meet the auditing requirements for your organization.\nEach line inrepresents a series of arguments\nthat can be passed toand can be individually tested\nduring runtime. See documentation inand\nin the related man pages for more details.If copying any example audit rulesets from,\nbe sure to comment out the\nlines containingwhich are not appropriate for your system's\narchitecture. Then review and understand the following rules,\nensuring rules are activated as needed for the appropriate\narchitecture.After reviewing all the rules, reading the following sections, and\nediting as needed, the new rules can be activated as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_media_export",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_media_export:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_media_export_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(9)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.2.7",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_media_export",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(9)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.2.7",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure auditd Collects Information on Exporting to Media (successful)",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_media_export",
+ "desc": "At a minimum, the audit system should collect media exportation\nevents for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "descriptions": [
+ {
+ "data": "The unauthorized exportation of data to external media could result in an information leak\nwhere classified information, Privacy Act information, and intellectual property could be lost. An audit\ntrail should be created each time a filesystem is mounted to help identify and guard against information\nloss.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure auditd Collects Information on Exporting to Media (successful)\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export\",\n \"-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export\"\n ],\n \"text\": \"At a minimum, the audit system should collect media exportation\\nevents for all users and root. If thedaemon is configured to\\nuse theprogram to read audit rules during daemon startup\\n(the default), add the following line to a file with suffixin\\nthe directory, setting ARCH to either b32 or b64 as\\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\\nappropriate for your system:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(9)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.2.7\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"The unauthorized exportation of data to external media could result in an information leak\\nwhere classified information, Privacy Act information, and intellectual property could be lost. An audit\\ntrail should be created each time a filesystem is mounted to help identify and guard against information\\nloss.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\n\\tSYSCALL=\\\"mount\\\"\\n\\tKEY=\\\"perm_mod\\\"\\n\\tSYSCALL_GROUPING=\\\"\\\"\\n\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_media_export\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_media_export\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Set architecture for audit mount tasks\\n set_fact:\\n audit_arch: b64\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - ansible_architecture == \\\"aarch64\\\" or ansible_architecture == \\\"ppc64\\\" or ansible_architecture\\n == \\\"ppc64le\\\" or ansible_architecture == \\\"s390x\\\" or ansible_architecture == \\\"x86_64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_media_export\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for mount for 32bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - mount\\n syscall_grouping: []\\n\\n - name: Check existence of mount in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - mount\\n syscall_grouping: []\\n\\n - name: Check existence of mount in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b32(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_media_export\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Perform remediation of Audit rules for mount for 64bit platform\\n block:\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - mount\\n syscall_grouping: []\\n\\n - name: Check existence of mount in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: '*.rules'\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Reset syscalls found per file\\n set_fact:\\n syscalls_per_file: {}\\n found_paths_dict: {}\\n\\n - name: Declare syscalls found per file\\n set_fact: syscalls_per_file=\\\"{{ syscalls_per_file | combine( {item.files[0].path\\n :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}\\\"\\n loop: '{{ find_command.results | selectattr(''matched'') | list }}'\\n\\n - name: Declare files where syscalls were found\\n set_fact: found_paths=\\\"{{ find_command.results | map(attribute='files') | flatten\\n | map(attribute='path') | list }}\\\"\\n\\n - name: Count occurrences of syscalls in paths\\n set_fact: found_paths_dict=\\\"{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,\\n 0) }) }}\\\"\\n loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')\\n | list }}'\\n\\n - name: Get path with most syscalls\\n set_fact: audit_file=\\\"{{ (found_paths_dict | dict2items() | sort(attribute='value')\\n | last).key }}\\\"\\n when: found_paths | length >= 1\\n\\n - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules\\n set_fact: audit_file=\\\"/etc/audit/rules.d/perm_mod.rules\\\"\\n when: found_paths | length == 0\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]\\n | join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k\\n |-F key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n\\n - name: Declare list of syscalls\\n set_fact:\\n syscalls:\\n - mount\\n syscall_grouping: []\\n\\n - name: Check existence of mount in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit\\n contains: -a always,exit -F arch=b64(( -S |,)\\\\w+)*(( -S |,){{ item }})+(( -S\\n |,)\\\\w+)* -F auid>=1000 -F auid!=unset (-k\\\\s+|-F\\\\s+key=)\\\\S+\\\\s*$\\n patterns: audit.rules\\n register: find_command\\n loop: '{{ (syscall_grouping + syscalls) | unique }}'\\n\\n - name: Set path to /etc/audit/audit.rules\\n set_fact: audit_file=\\\"/etc/audit/audit.rules\\\"\\n\\n - name: Declare found syscalls\\n set_fact: syscalls_found=\\\"{{ find_command.results | selectattr('matched') | map(attribute='item')\\n | list }}\\\"\\n\\n - name: Declare missing syscalls\\n set_fact: missing_syscalls=\\\"{{ syscalls | difference(syscalls_found) }}\\\"\\n\\n - name: Replace the audit rule in {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |\\n join(\\\"|\\\") }}))\\\\b)((?:( -S |,)\\\\w+)+)( -F auid>=1000 -F auid!=unset (?:-k |-F\\n key=)\\\\w+)\\n line: \\\\1\\\\2\\\\3{{ missing_syscalls | join(\\\"\\\\3\\\") }}\\\\4\\n backrefs: true\\n state: present\\n when: syscalls_found | length > 0 and missing_syscalls | length > 0\\n\\n - name: Add the audit rule to {{ audit_file }}\\n lineinfile:\\n path: '{{ audit_file }}'\\n line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000\\n -F auid!=unset -F key=perm_mod\\n create: true\\n mode: o-rwx\\n state: present\\n when: syscalls_found | length == 0\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - audit_arch == \\\"b64\\\"\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.7\\n - audit_rules_media_export\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"audit_rules_media_export\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_media_export:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_media_export_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_media_export\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect media exportation\nevents for all users and root. If thedaemon is configured to\nuse theprogram to read audit rules during daemon startup\n(the default), add the following line to a file with suffixin\nthe directory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "AU-2 d.",
+ "AU-12 c.",
+ "AC-6 (9)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "group_id": "xccdf_org.ssgproject.content_group_auditd_configure_rules",
+ "group_title": "Configure auditd Rules for Comprehensive Auditing",
+ "group_description": "Theprogram can perform comprehensive\nmonitoring of system activity. This section describes recommended\nconfiguration settings for comprehensive auditing, but a full\ndescription of the auditing system's capabilities is beyond the\nscope of this guide. The mailing listexists\nto facilitate community discussion of the auditing system.The audit subsystem supports extensive collection of events, including:Auditing rules at startup are controlled by the file.\nAdd rules to it to meet the auditing requirements for your organization.\nEach line inrepresents a series of arguments\nthat can be passed toand can be individually tested\nduring runtime. See documentation inand\nin the related man pages for more details.If copying any example audit rulesets from,\nbe sure to comment out the\nlines containingwhich are not appropriate for your system's\narchitecture. Then review and understand the following rules,\nensuring rules are activated as needed for the appropriate\narchitecture.After reviewing all the rules, reading the following sections, and\nediting as needed, the new rules can be activated as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_networkconfig_modification:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_networkconfig_modification_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "audit_rules_networkconfig_modification",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(9)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.5.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(9)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.5.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify the System's Network Environment",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification",
+ "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\n# First perform the remediation of the syscall rule\n# Retrieve hardware architecture of the underlying system\n[ \"$(getconf LONG_BIT)\" = \"32\" ] && RULE_ARCHS=(\"b32\") || RULE_ARCHS=(\"b32\" \"b64\")\n\nfor ARCH in \"${RULE_ARCHS[@]}\"\ndo\n\tACTION_ARCH_FILTERS=\"-a always,exit -F arch=$ARCH\"\n\tOTHER_FILTERS=\"\"\n\tAUID_FILTERS=\"\"\n\tSYSCALL=\"sethostname setdomainname\"\n\tKEY=\"audit_rules_networkconfig_modification\"\n\tSYSCALL_GROUPING=\"sethostname setdomainname\"\n\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n\tunset syscall_a\nunset syscall_grouping\nunset syscall_string\nunset syscall\nunset file_to_edit\nunset rule_to_edit\nunset rule_syscalls_to_edit\nunset other_string\nunset auid_string\nunset full_rule\n\n# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n# If audit tool is 'augenrules', then check if the audit rule is defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\ndefault_file=\"/etc/audit/rules.d/$KEY.rules\"\n# As other_filters may include paths, lets use a different delimiter for it\n# The \"F\" script expression tells sed to print the filenames where the expressions matched\nreadarray -t files_to_inspect < <(sed -s -n -e \"/^$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" -e \"F\" /etc/audit/rules.d/*.rules)\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\nif [ ${#files_to_inspect[@]} -eq \"0\" ]\nthen\n file_to_inspect=\"/etc/audit/rules.d/$KEY.rules\"\n files_to_inspect=(\"$file_to_inspect\")\n if [ ! -e \"$file_to_inspect\" ]\n then\n touch \"$file_to_inspect\"\n chmod 0640 \"$file_to_inspect\"\n fi\nfi\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/^$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/^$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\" || candidate_rules+=(\"$s_rule\")\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\" || {\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n }\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [ \"${#candidate_rules[@]}\" -gt 0 ]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [ \"${#syscall_a[@]}\" -gt 0 ]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\") || /bin/true\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\") || /bin/true\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\" || /bin/true\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\" || {\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n }\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n\tunset syscall_a\nunset syscall_grouping\nunset syscall_string\nunset syscall\nunset file_to_edit\nunset rule_to_edit\nunset rule_syscalls_to_edit\nunset other_string\nunset auid_string\nunset full_rule\n\n# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# file to the list of files to be inspected\ndefault_file=\"/etc/audit/audit.rules\"\nfiles_to_inspect+=('/etc/audit/audit.rules' )\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/^$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/^$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\" || candidate_rules+=(\"$s_rule\")\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\" || {\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n }\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [ \"${#candidate_rules[@]}\" -gt 0 ]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [ \"${#syscall_a[@]}\" -gt 0 ]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\") || /bin/true\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\") || /bin/true\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\" || /bin/true\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\" || {\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n }\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\ndone\n\n# Then perform the remediations for the watch rules\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# into the list of files to be inspected\nfiles_to_inspect+=('/etc/audit/audit.rules')\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/etc/issue\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/etc/issue $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/etc/issue$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /etc/issue -p wa -k audit_rules_networkconfig_modification\" >> \"$audit_rules_file\"\n fi\ndone\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n# If the audit is 'augenrules', then check if rule is already defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\n# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.\nreadarray -t matches < <(grep -HP \"[\\s]*-w[\\s]+/etc/issue\" /etc/audit/rules.d/*.rules)\n\n# For each of the matched entries\nfor match in \"${matches[@]}\"\ndo\n # Extract filepath from the match\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\n # Append that path into list of files for inspection\n files_to_inspect+=(\"$rulesd_audit_file\")\ndone\n# Case when particular audit rule isn't defined yet\nif [ \"${#files_to_inspect[@]}\" -eq \"0\" ]\nthen\n # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection\n key_rule_file=\"/etc/audit/rules.d/audit_rules_networkconfig_modification.rules\"\n # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions\n if [ ! -e \"$key_rule_file\" ]\n then\n touch \"$key_rule_file\"\n chmod 0640 \"$key_rule_file\"\n fi\n files_to_inspect+=(\"$key_rule_file\")\nfi\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/etc/issue\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/etc/issue $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/etc/issue$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /etc/issue -p wa -k audit_rules_networkconfig_modification\" >> \"$audit_rules_file\"\n fi\ndone\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# into the list of files to be inspected\nfiles_to_inspect+=('/etc/audit/audit.rules')\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/etc/issue.net\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/etc/issue.net $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/etc/issue.net$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification\" >> \"$audit_rules_file\"\n fi\ndone\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n# If the audit is 'augenrules', then check if rule is already defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\n# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.\nreadarray -t matches < <(grep -HP \"[\\s]*-w[\\s]+/etc/issue.net\" /etc/audit/rules.d/*.rules)\n\n# For each of the matched entries\nfor match in \"${matches[@]}\"\ndo\n # Extract filepath from the match\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\n # Append that path into list of files for inspection\n files_to_inspect+=(\"$rulesd_audit_file\")\ndone\n# Case when particular audit rule isn't defined yet\nif [ \"${#files_to_inspect[@]}\" -eq \"0\" ]\nthen\n # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection\n key_rule_file=\"/etc/audit/rules.d/audit_rules_networkconfig_modification.rules\"\n # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions\n if [ ! -e \"$key_rule_file\" ]\n then\n touch \"$key_rule_file\"\n chmod 0640 \"$key_rule_file\"\n fi\n files_to_inspect+=(\"$key_rule_file\")\nfi\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/etc/issue.net\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/etc/issue.net $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/etc/issue.net$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification\" >> \"$audit_rules_file\"\n fi\ndone\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# into the list of files to be inspected\nfiles_to_inspect+=('/etc/audit/audit.rules')\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/etc/hosts\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/etc/hosts $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/etc/hosts$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /etc/hosts -p wa -k audit_rules_networkconfig_modification\" >> \"$audit_rules_file\"\n fi\ndone\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n# If the audit is 'augenrules', then check if rule is already defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\n# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.\nreadarray -t matches < <(grep -HP \"[\\s]*-w[\\s]+/etc/hosts\" /etc/audit/rules.d/*.rules)\n\n# For each of the matched entries\nfor match in \"${matches[@]}\"\ndo\n # Extract filepath from the match\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\n # Append that path into list of files for inspection\n files_to_inspect+=(\"$rulesd_audit_file\")\ndone\n# Case when particular audit rule isn't defined yet\nif [ \"${#files_to_inspect[@]}\" -eq \"0\" ]\nthen\n # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection\n key_rule_file=\"/etc/audit/rules.d/audit_rules_networkconfig_modification.rules\"\n # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions\n if [ ! -e \"$key_rule_file\" ]\n then\n touch \"$key_rule_file\"\n chmod 0640 \"$key_rule_file\"\n fi\n files_to_inspect+=(\"$key_rule_file\")\nfi\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/etc/hosts\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/etc/hosts $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/etc/hosts$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /etc/hosts -p wa -k audit_rules_networkconfig_modification\" >> \"$audit_rules_file\"\n fi\ndone\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# into the list of files to be inspected\nfiles_to_inspect+=('/etc/audit/audit.rules')\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/etc/sysconfig/network\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/etc/sysconfig/network $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/etc/sysconfig/network$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification\" >> \"$audit_rules_file\"\n fi\ndone\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n# If the audit is 'augenrules', then check if rule is already defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\n# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.\nreadarray -t matches < <(grep -HP \"[\\s]*-w[\\s]+/etc/sysconfig/network\" /etc/audit/rules.d/*.rules)\n\n# For each of the matched entries\nfor match in \"${matches[@]}\"\ndo\n # Extract filepath from the match\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\n # Append that path into list of files for inspection\n files_to_inspect+=(\"$rulesd_audit_file\")\ndone\n# Case when particular audit rule isn't defined yet\nif [ \"${#files_to_inspect[@]}\" -eq \"0\" ]\nthen\n # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection\n key_rule_file=\"/etc/audit/rules.d/audit_rules_networkconfig_modification.rules\"\n # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions\n if [ ! -e \"$key_rule_file\" ]\n then\n touch \"$key_rule_file\"\n chmod 0640 \"$key_rule_file\"\n fi\n files_to_inspect+=(\"$key_rule_file\")\nfi\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/etc/sysconfig/network\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/etc/sysconfig/network $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/etc/sysconfig/network$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification\" >> \"$audit_rules_file\"\n fi\ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "The network environment should not be modified by anything other\nthan administrator action. Any change to network parameters should be\naudited.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify the System's Network Environment\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification\\n-w /etc/issue -p wa -k audit_rules_networkconfig_modification\\n-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification\\n-w /etc/hosts -p wa -k audit_rules_networkconfig_modification\\n-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification\",\n \"-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification\\n-w /etc/issue -p wa -k audit_rules_networkconfig_modification\\n-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification\\n-w /etc/hosts -p wa -k audit_rules_networkconfig_modification\\n-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification\"\n ],\n \"text\": \"If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following lines to a file with suffixin the\\ndirectory, setting ARCH to either b32 or b64 as\\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, setting ARCH to either b32 or b64 as\\nappropriate for your system:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(9)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.5.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"The network environment should not be modified by anything other\\nthan administrator action. Any change to network parameters should be\\naudited.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# First perform the remediation of the syscall rule\\n# Retrieve hardware architecture of the underlying system\\n[ \\\"$(getconf LONG_BIT)\\\" = \\\"32\\\" ] && RULE_ARCHS=(\\\"b32\\\") || RULE_ARCHS=(\\\"b32\\\" \\\"b64\\\")\\n\\nfor ARCH in \\\"${RULE_ARCHS[@]}\\\"\\ndo\\n\\tACTION_ARCH_FILTERS=\\\"-a always,exit -F arch=$ARCH\\\"\\n\\tOTHER_FILTERS=\\\"\\\"\\n\\tAUID_FILTERS=\\\"\\\"\\n\\tSYSCALL=\\\"sethostname setdomainname\\\"\\n\\tKEY=\\\"audit_rules_networkconfig_modification\\\"\\n\\tSYSCALL_GROUPING=\\\"sethostname setdomainname\\\"\\n\\t# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\tunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\ndone\\n\\n# Then perform the remediations for the watch rules\\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n\\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# into the list of files to be inspected\\nfiles_to_inspect+=('/etc/audit/audit.rules')\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/issue\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/issue $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/issue$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/issue -p wa -k audit_rules_networkconfig_modification\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n# If the audit is 'augenrules', then check if rule is already defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\\n# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.\\nreadarray -t matches < <(grep -HP \\\"[\\\\s]*-w[\\\\s]+/etc/issue\\\" /etc/audit/rules.d/*.rules)\\n\\n# For each of the matched entries\\nfor match in \\\"${matches[@]}\\\"\\ndo\\n # Extract filepath from the match\\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\\n # Append that path into list of files for inspection\\n files_to_inspect+=(\\\"$rulesd_audit_file\\\")\\ndone\\n# Case when particular audit rule isn't defined yet\\nif [ \\\"${#files_to_inspect[@]}\\\" -eq \\\"0\\\" ]\\nthen\\n # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection\\n key_rule_file=\\\"/etc/audit/rules.d/audit_rules_networkconfig_modification.rules\\\"\\n # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions\\n if [ ! -e \\\"$key_rule_file\\\" ]\\n then\\n touch \\\"$key_rule_file\\\"\\n chmod 0640 \\\"$key_rule_file\\\"\\n fi\\n files_to_inspect+=(\\\"$key_rule_file\\\")\\nfi\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/issue\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/issue $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/issue$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/issue -p wa -k audit_rules_networkconfig_modification\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n\\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# into the list of files to be inspected\\nfiles_to_inspect+=('/etc/audit/audit.rules')\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/issue.net\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/issue.net $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/issue.net$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n# If the audit is 'augenrules', then check if rule is already defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\\n# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.\\nreadarray -t matches < <(grep -HP \\\"[\\\\s]*-w[\\\\s]+/etc/issue.net\\\" /etc/audit/rules.d/*.rules)\\n\\n# For each of the matched entries\\nfor match in \\\"${matches[@]}\\\"\\ndo\\n # Extract filepath from the match\\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\\n # Append that path into list of files for inspection\\n files_to_inspect+=(\\\"$rulesd_audit_file\\\")\\ndone\\n# Case when particular audit rule isn't defined yet\\nif [ \\\"${#files_to_inspect[@]}\\\" -eq \\\"0\\\" ]\\nthen\\n # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection\\n key_rule_file=\\\"/etc/audit/rules.d/audit_rules_networkconfig_modification.rules\\\"\\n # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions\\n if [ ! -e \\\"$key_rule_file\\\" ]\\n then\\n touch \\\"$key_rule_file\\\"\\n chmod 0640 \\\"$key_rule_file\\\"\\n fi\\n files_to_inspect+=(\\\"$key_rule_file\\\")\\nfi\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/issue.net\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/issue.net $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/issue.net$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n\\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# into the list of files to be inspected\\nfiles_to_inspect+=('/etc/audit/audit.rules')\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/hosts\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/hosts $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/hosts$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/hosts -p wa -k audit_rules_networkconfig_modification\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n# If the audit is 'augenrules', then check if rule is already defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\\n# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.\\nreadarray -t matches < <(grep -HP \\\"[\\\\s]*-w[\\\\s]+/etc/hosts\\\" /etc/audit/rules.d/*.rules)\\n\\n# For each of the matched entries\\nfor match in \\\"${matches[@]}\\\"\\ndo\\n # Extract filepath from the match\\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\\n # Append that path into list of files for inspection\\n files_to_inspect+=(\\\"$rulesd_audit_file\\\")\\ndone\\n# Case when particular audit rule isn't defined yet\\nif [ \\\"${#files_to_inspect[@]}\\\" -eq \\\"0\\\" ]\\nthen\\n # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection\\n key_rule_file=\\\"/etc/audit/rules.d/audit_rules_networkconfig_modification.rules\\\"\\n # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions\\n if [ ! -e \\\"$key_rule_file\\\" ]\\n then\\n touch \\\"$key_rule_file\\\"\\n chmod 0640 \\\"$key_rule_file\\\"\\n fi\\n files_to_inspect+=(\\\"$key_rule_file\\\")\\nfi\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/hosts\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/hosts $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/hosts$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/hosts -p wa -k audit_rules_networkconfig_modification\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n\\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# into the list of files to be inspected\\nfiles_to_inspect+=('/etc/audit/audit.rules')\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/sysconfig/network\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/sysconfig/network $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/sysconfig/network$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n# If the audit is 'augenrules', then check if rule is already defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\\n# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.\\nreadarray -t matches < <(grep -HP \\\"[\\\\s]*-w[\\\\s]+/etc/sysconfig/network\\\" /etc/audit/rules.d/*.rules)\\n\\n# For each of the matched entries\\nfor match in \\\"${matches[@]}\\\"\\ndo\\n # Extract filepath from the match\\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\\n # Append that path into list of files for inspection\\n files_to_inspect+=(\\\"$rulesd_audit_file\\\")\\ndone\\n# Case when particular audit rule isn't defined yet\\nif [ \\\"${#files_to_inspect[@]}\\\" -eq \\\"0\\\" ]\\nthen\\n # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection\\n key_rule_file=\\\"/etc/audit/rules.d/audit_rules_networkconfig_modification.rules\\\"\\n # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions\\n if [ ! -e \\\"$key_rule_file\\\" ]\\n then\\n touch \\\"$key_rule_file\\\"\\n chmod 0640 \\\"$key_rule_file\\\"\\n fi\\n files_to_inspect+=(\\\"$key_rule_file\\\")\\nfi\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/sysconfig/network\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/sysconfig/network $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/sysconfig/network$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_networkconfig_modification\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_networkconfig_modification:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_networkconfig_modification_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectory, setting ARCH to either b32 or b64 as\nappropriate for your system:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, setting ARCH to either b32 or b64 as\nappropriate for your system:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "AU-2 d.",
+ "AU-12 c.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "The audit system already collects process information for all\nusers and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectoryin order to watch for attempted manual\nedits of files involved in storing such process information:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile in order to watch for attempted manual\nedits of files involved in storing such process information:",
+ "group_id": "xccdf_org.ssgproject.content_group_auditd_configure_rules",
+ "group_title": "Configure auditd Rules for Comprehensive Auditing",
+ "group_description": "Theprogram can perform comprehensive\nmonitoring of system activity. This section describes recommended\nconfiguration settings for comprehensive auditing, but a full\ndescription of the auditing system's capabilities is beyond the\nscope of this guide. The mailing listexists\nto facilitate community discussion of the auditing system.The audit subsystem supports extensive collection of events, including:Auditing rules at startup are controlled by the file.\nAdd rules to it to meet the auditing requirements for your organization.\nEach line inrepresents a series of arguments\nthat can be passed toand can be individually tested\nduring runtime. See documentation inand\nin the related man pages for more details.If copying any example audit rulesets from,\nbe sure to comment out the\nlines containingwhich are not appropriate for your system's\narchitecture. Then review and understand the following rules,\nensuring rules are activated as needed for the appropriate\narchitecture.After reviewing all the rules, reading the following sections, and\nediting as needed, the new rules can be activated as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_session_events",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_session_events:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "audit_rules_session_events",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0582",
+ "href": ""
+ },
+ {
+ "text": "0584",
+ "href": ""
+ },
+ {
+ "text": "05885",
+ "href": ""
+ },
+ {
+ "text": "0586",
+ "href": ""
+ },
+ {
+ "text": "0846",
+ "href": ""
+ },
+ {
+ "text": "0957",
+ "href": ""
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.2.3",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_session_events",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0582"
+ },
+ {
+ "ref": "0584"
+ },
+ {
+ "ref": "05885"
+ },
+ {
+ "ref": "0586"
+ },
+ {
+ "ref": "0846"
+ },
+ {
+ "ref": "0957"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.2.3",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Attempts to Alter Process and Session Initiation Information",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_session_events",
+ "desc": "The audit system already collects process information for all\nusers and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectoryin order to watch for attempted manual\nedits of files involved in storing such process information:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile in order to watch for attempted manual\nedits of files involved in storing such process information:",
+ "descriptions": [
+ {
+ "data": "oval:ssg-audit_rules_session_events:def:1",
+ "label": "check"
+ },
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# into the list of files to be inspected\nfiles_to_inspect+=('/etc/audit/audit.rules')\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/var/run/utmp\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/var/run/utmp $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/var/run/utmp$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /var/run/utmp -p wa -k session\" >> \"$audit_rules_file\"\n fi\ndone\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n# If the audit is 'augenrules', then check if rule is already defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\n# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.\nreadarray -t matches < <(grep -HP \"[\\s]*-w[\\s]+/var/run/utmp\" /etc/audit/rules.d/*.rules)\n\n# For each of the matched entries\nfor match in \"${matches[@]}\"\ndo\n # Extract filepath from the match\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\n # Append that path into list of files for inspection\n files_to_inspect+=(\"$rulesd_audit_file\")\ndone\n# Case when particular audit rule isn't defined yet\nif [ \"${#files_to_inspect[@]}\" -eq \"0\" ]\nthen\n # Append '/etc/audit/rules.d/session.rules' into list of files for inspection\n key_rule_file=\"/etc/audit/rules.d/session.rules\"\n # If the session.rules file doesn't exist yet, create it with correct permissions\n if [ ! -e \"$key_rule_file\" ]\n then\n touch \"$key_rule_file\"\n chmod 0640 \"$key_rule_file\"\n fi\n files_to_inspect+=(\"$key_rule_file\")\nfi\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/var/run/utmp\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/var/run/utmp $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/var/run/utmp$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /var/run/utmp -p wa -k session\" >> \"$audit_rules_file\"\n fi\ndone\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# into the list of files to be inspected\nfiles_to_inspect+=('/etc/audit/audit.rules')\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/var/log/btmp\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/var/log/btmp $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/var/log/btmp$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /var/log/btmp -p wa -k session\" >> \"$audit_rules_file\"\n fi\ndone\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n# If the audit is 'augenrules', then check if rule is already defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\n# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.\nreadarray -t matches < <(grep -HP \"[\\s]*-w[\\s]+/var/log/btmp\" /etc/audit/rules.d/*.rules)\n\n# For each of the matched entries\nfor match in \"${matches[@]}\"\ndo\n # Extract filepath from the match\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\n # Append that path into list of files for inspection\n files_to_inspect+=(\"$rulesd_audit_file\")\ndone\n# Case when particular audit rule isn't defined yet\nif [ \"${#files_to_inspect[@]}\" -eq \"0\" ]\nthen\n # Append '/etc/audit/rules.d/session.rules' into list of files for inspection\n key_rule_file=\"/etc/audit/rules.d/session.rules\"\n # If the session.rules file doesn't exist yet, create it with correct permissions\n if [ ! -e \"$key_rule_file\" ]\n then\n touch \"$key_rule_file\"\n chmod 0640 \"$key_rule_file\"\n fi\n files_to_inspect+=(\"$key_rule_file\")\nfi\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/var/log/btmp\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/var/log/btmp $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/var/log/btmp$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /var/log/btmp -p wa -k session\" >> \"$audit_rules_file\"\n fi\ndone\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# into the list of files to be inspected\nfiles_to_inspect+=('/etc/audit/audit.rules')\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/var/log/wtmp\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/var/log/wtmp $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/var/log/wtmp$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /var/log/wtmp -p wa -k session\" >> \"$audit_rules_file\"\n fi\ndone\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules\t| Rule already defined\t| Audit rules file to inspect\t |\n# -----------------------------------------------------------------------------------------\n#\tauditctl\t\t| Doesn't matter\t| /etc/audit/audit.rules\t |\n# -----------------------------------------------------------------------------------------\n# \taugenrules\t\t| Yes\t\t| /etc/audit/rules.d/*.rules\t |\n# \taugenrules\t\t| No\t\t| /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\nfiles_to_inspect=()\n\n# If the audit is 'augenrules', then check if rule is already defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\n# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.\nreadarray -t matches < <(grep -HP \"[\\s]*-w[\\s]+/var/log/wtmp\" /etc/audit/rules.d/*.rules)\n\n# For each of the matched entries\nfor match in \"${matches[@]}\"\ndo\n # Extract filepath from the match\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\n # Append that path into list of files for inspection\n files_to_inspect+=(\"$rulesd_audit_file\")\ndone\n# Case when particular audit rule isn't defined yet\nif [ \"${#files_to_inspect[@]}\" -eq \"0\" ]\nthen\n # Append '/etc/audit/rules.d/session.rules' into list of files for inspection\n key_rule_file=\"/etc/audit/rules.d/session.rules\"\n # If the session.rules file doesn't exist yet, create it with correct permissions\n if [ ! -e \"$key_rule_file\" ]\n then\n touch \"$key_rule_file\"\n chmod 0640 \"$key_rule_file\"\n fi\n files_to_inspect+=(\"$key_rule_file\")\nfi\n\n# Finally perform the inspection and possible subsequent audit rule\n# correction for each of the files previously identified for inspection\nfor audit_rules_file in \"${files_to_inspect[@]}\"\ndo\n # Check if audit watch file system object rule for given path already present\n if grep -q -P -- \"^[\\s]*-w[\\s]+/var/log/wtmp\" \"$audit_rules_file\"\n then\n # Rule is found => verify yet if existing rule definition contains\n # all of the required access type bits\n\n # Define BRE whitespace class shortcut\n sp=\"[[:space:]]\"\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\n current_access_bits=$(sed -ne \"s#$sp*-w$sp\\+/var/log/wtmp $sp\\+-p$sp\\+\\([rxwa]\\{1,4\\}\\).*#\\1#p\" \"$audit_rules_file\")\n # Split required access bits string into characters array\n # (to check bit's presence for one bit at a time)\n for access_bit in $(echo \"wa\" | grep -o .)\n do\n # For each from the required access bits (e.g. 'w', 'a') check\n # if they are already present in current access bits for rule.\n # If not, append that bit at the end\n if ! grep -q \"$access_bit\" <<< \"$current_access_bits\"\n then\n # Concatenate the existing mask with the missing bit\n current_access_bits=\"$current_access_bits$access_bit\"\n fi\n done\n # Propagate the updated rule's access bits (original + the required\n # ones) back into the /etc/audit/audit.rules file for that rule\n sed -i \"s#\\($sp*-w$sp\\+/var/log/wtmp$sp\\+-p$sp\\+\\)\\([rxwa]\\{1,4\\}\\)\\(.*\\)#\\1$current_access_bits\\3#\" \"$audit_rules_file\"\n else\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\n # with proper key\n\n echo \"-w /var/log/wtmp -p wa -k session\" >> \"$audit_rules_file\"\n fi\ndone\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Manual editing of these files may indicate nefarious activity, such\nas an attacker attempting to remove evidence of an intrusion.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Record Attempts to Alter Process and Session Initiation Information\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-w /var/run/utmp -p wa -k session\\n-w /var/log/btmp -p wa -k session\\n-w /var/log/wtmp -p wa -k session\",\n \"-w /var/run/utmp -p wa -k session\\n-w /var/log/btmp -p wa -k session\\n-w /var/log/wtmp -p wa -k session\"\n ],\n \"text\": \"The audit system already collects process information for all\\nusers and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following lines to a file with suffixin the\\ndirectoryin order to watch for attempted manual\\nedits of files involved in storing such process information:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile in order to watch for attempted manual\\nedits of files involved in storing such process information:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0582\",\n \"href\": \"\"\n },\n {\n \"text\": \"0584\",\n \"href\": \"\"\n },\n {\n \"text\": \"05885\",\n \"href\": \"\"\n },\n {\n \"text\": \"0586\",\n \"href\": \"\"\n },\n {\n \"text\": \"0846\",\n \"href\": \"\"\n },\n {\n \"text\": \"0957\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.2.3\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Manual editing of these files may indicate nefarious activity, such\\nas an attacker attempting to remove evidence of an intrusion.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n\\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# into the list of files to be inspected\\nfiles_to_inspect+=('/etc/audit/audit.rules')\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/var/run/utmp\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/var/run/utmp $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/var/run/utmp$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /var/run/utmp -p wa -k session\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n# If the audit is 'augenrules', then check if rule is already defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\\n# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.\\nreadarray -t matches < <(grep -HP \\\"[\\\\s]*-w[\\\\s]+/var/run/utmp\\\" /etc/audit/rules.d/*.rules)\\n\\n# For each of the matched entries\\nfor match in \\\"${matches[@]}\\\"\\ndo\\n # Extract filepath from the match\\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\\n # Append that path into list of files for inspection\\n files_to_inspect+=(\\\"$rulesd_audit_file\\\")\\ndone\\n# Case when particular audit rule isn't defined yet\\nif [ \\\"${#files_to_inspect[@]}\\\" -eq \\\"0\\\" ]\\nthen\\n # Append '/etc/audit/rules.d/session.rules' into list of files for inspection\\n key_rule_file=\\\"/etc/audit/rules.d/session.rules\\\"\\n # If the session.rules file doesn't exist yet, create it with correct permissions\\n if [ ! -e \\\"$key_rule_file\\\" ]\\n then\\n touch \\\"$key_rule_file\\\"\\n chmod 0640 \\\"$key_rule_file\\\"\\n fi\\n files_to_inspect+=(\\\"$key_rule_file\\\")\\nfi\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/var/run/utmp\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/var/run/utmp $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/var/run/utmp$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /var/run/utmp -p wa -k session\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n\\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# into the list of files to be inspected\\nfiles_to_inspect+=('/etc/audit/audit.rules')\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/var/log/btmp\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/var/log/btmp $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/var/log/btmp$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /var/log/btmp -p wa -k session\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n# If the audit is 'augenrules', then check if rule is already defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\\n# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.\\nreadarray -t matches < <(grep -HP \\\"[\\\\s]*-w[\\\\s]+/var/log/btmp\\\" /etc/audit/rules.d/*.rules)\\n\\n# For each of the matched entries\\nfor match in \\\"${matches[@]}\\\"\\ndo\\n # Extract filepath from the match\\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\\n # Append that path into list of files for inspection\\n files_to_inspect+=(\\\"$rulesd_audit_file\\\")\\ndone\\n# Case when particular audit rule isn't defined yet\\nif [ \\\"${#files_to_inspect[@]}\\\" -eq \\\"0\\\" ]\\nthen\\n # Append '/etc/audit/rules.d/session.rules' into list of files for inspection\\n key_rule_file=\\\"/etc/audit/rules.d/session.rules\\\"\\n # If the session.rules file doesn't exist yet, create it with correct permissions\\n if [ ! -e \\\"$key_rule_file\\\" ]\\n then\\n touch \\\"$key_rule_file\\\"\\n chmod 0640 \\\"$key_rule_file\\\"\\n fi\\n files_to_inspect+=(\\\"$key_rule_file\\\")\\nfi\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/var/log/btmp\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/var/log/btmp $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/var/log/btmp$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /var/log/btmp -p wa -k session\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n\\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# into the list of files to be inspected\\nfiles_to_inspect+=('/etc/audit/audit.rules')\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/var/log/wtmp\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/var/log/wtmp $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/var/log/wtmp$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /var/log/wtmp -p wa -k session\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n# If the audit is 'augenrules', then check if rule is already defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\\n# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.\\nreadarray -t matches < <(grep -HP \\\"[\\\\s]*-w[\\\\s]+/var/log/wtmp\\\" /etc/audit/rules.d/*.rules)\\n\\n# For each of the matched entries\\nfor match in \\\"${matches[@]}\\\"\\ndo\\n # Extract filepath from the match\\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\\n # Append that path into list of files for inspection\\n files_to_inspect+=(\\\"$rulesd_audit_file\\\")\\ndone\\n# Case when particular audit rule isn't defined yet\\nif [ \\\"${#files_to_inspect[@]}\\\" -eq \\\"0\\\" ]\\nthen\\n # Append '/etc/audit/rules.d/session.rules' into list of files for inspection\\n key_rule_file=\\\"/etc/audit/rules.d/session.rules\\\"\\n # If the session.rules file doesn't exist yet, create it with correct permissions\\n if [ ! -e \\\"$key_rule_file\\\" ]\\n then\\n touch \\\"$key_rule_file\\\"\\n chmod 0640 \\\"$key_rule_file\\\"\\n fi\\n files_to_inspect+=(\\\"$key_rule_file\\\")\\nfi\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/var/log/wtmp\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/var/log/wtmp $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/var/log/wtmp$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /var/log/wtmp -p wa -k session\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_session_events\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_session_events:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_session_events\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The audit system already collects process information for all\nusers and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectoryin order to watch for attempted manual\nedits of files involved in storing such process information:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile in order to watch for attempted manual\nedits of files involved in storing such process information:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000126",
+ "CCI-000130",
+ "CCI-000135",
+ "CCI-000169",
+ "CCI-000172",
+ "CCI-002884"
+ ],
+ "nist": [
+ "AU-2 c",
+ "AU-3 a",
+ "AU-3 (1)",
+ "AU-12 a",
+ "AU-12 c",
+ "MA-4 (1) (a)",
+ "AC-2 (7) b.",
+ "AU-2 d.",
+ "AU-12 c.",
+ "AC-6 (9)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "At a minimum, the audit system should collect administrator actions\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default),\nadd the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:",
+ "group_id": "xccdf_org.ssgproject.content_group_auditd_configure_rules",
+ "group_title": "Configure auditd Rules for Comprehensive Auditing",
+ "group_description": "Theprogram can perform comprehensive\nmonitoring of system activity. This section describes recommended\nconfiguration settings for comprehensive auditing, but a full\ndescription of the auditing system's capabilities is beyond the\nscope of this guide. The mailing listexists\nto facilitate community discussion of the auditing system.The audit subsystem supports extensive collection of events, including:Auditing rules at startup are controlled by the file.\nAdd rules to it to meet the auditing requirements for your organization.\nEach line inrepresents a series of arguments\nthat can be passed toand can be individually tested\nduring runtime. See documentation inand\nin the related man pages for more details.If copying any example audit rulesets from,\nbe sure to comment out the\nlines containingwhich are not appropriate for your system's\narchitecture. Then review and understand the following rules,\nensuring rules are activated as needed for the appropriate\narchitecture.After reviewing all the rules, reading the following sections, and\nediting as needed, the new rules can be activated as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_sysadmin_actions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_sysadmin_actions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000126",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(d)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-2(7)(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(9)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.2.1.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "Req-10.2.2",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "Req-10.2.5.b",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000004-GPOS-00004",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000304-GPOS-00121",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000470-GPOS-00214",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000239-GPOS-00089",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000240-GPOS-00090",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000241-GPOS-00091",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000303-GPOS-00120",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000304-GPOS-00121",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000466-GPOS-00210",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000476-GPOS-00221",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-VMM-001840",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000471-VMM-001910",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000126",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(d)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-2(7)(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(9)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.2.1.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "Req-10.2.2",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "Req-10.2.5.b",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000004-GPOS-00004",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000304-GPOS-00121",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000470-GPOS-00214",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000239-GPOS-00089",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000240-GPOS-00090",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000241-GPOS-00091",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000303-GPOS-00120",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000304-GPOS-00121",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000466-GPOS-00210",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000476-GPOS-00221",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-VMM-001840"
+ },
+ {
+ "ref": "SRG-OS-000471-VMM-001910"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure auditd Collects System Administrator Actions",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions",
+ "desc": "At a minimum, the audit system should collect administrator actions\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default),\nadd the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:",
+ "descriptions": [
+ {
+ "data": "The actions taken by system administrators should be audited to keep a record\nof what was executed on the system, as well as, for accountability purposes.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure auditd Collects System Administrator Actions\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-w /etc/sudoers -p wa -k actions\\n-w /etc/sudoers.d/ -p wa -k actions\",\n \"-w /etc/sudoers -p wa -k actions\\n-w /etc/sudoers.d/ -p wa -k actions\"\n ],\n \"text\": \"At a minimum, the audit system should collect administrator actions\\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default),\\nadd the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000126\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(d)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-2(7)(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(9)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.2.1.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"Req-10.2.2\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"Req-10.2.5.b\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000004-GPOS-00004\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000304-GPOS-00121\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000470-GPOS-00214\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000239-GPOS-00089\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000240-GPOS-00090\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000241-GPOS-00091\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000303-GPOS-00120\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000304-GPOS-00121\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000466-GPOS-00210\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000476-GPOS-00221\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-VMM-001840\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000471-VMM-001910\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The actions taken by system administrators should be audited to keep a record\\nof what was executed on the system, as well as, for accountability purposes.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n\\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# into the list of files to be inspected\\nfiles_to_inspect+=('/etc/audit/audit.rules')\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/sudoers\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/sudoers $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/sudoers$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/sudoers -p wa -k actions\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n# If the audit is 'augenrules', then check if rule is already defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\\n# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection.\\nreadarray -t matches < <(grep -HP \\\"[\\\\s]*-w[\\\\s]+/etc/sudoers\\\" /etc/audit/rules.d/*.rules)\\n\\n# For each of the matched entries\\nfor match in \\\"${matches[@]}\\\"\\ndo\\n # Extract filepath from the match\\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\\n # Append that path into list of files for inspection\\n files_to_inspect+=(\\\"$rulesd_audit_file\\\")\\ndone\\n# Case when particular audit rule isn't defined yet\\nif [ \\\"${#files_to_inspect[@]}\\\" -eq \\\"0\\\" ]\\nthen\\n # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection\\n key_rule_file=\\\"/etc/audit/rules.d/actions.rules\\\"\\n # If the actions.rules file doesn't exist yet, create it with correct permissions\\n if [ ! -e \\\"$key_rule_file\\\" ]\\n then\\n touch \\\"$key_rule_file\\\"\\n chmod 0640 \\\"$key_rule_file\\\"\\n fi\\n files_to_inspect+=(\\\"$key_rule_file\\\")\\nfi\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/sudoers\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/sudoers $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/sudoers$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/sudoers -p wa -k actions\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n\\n# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# into the list of files to be inspected\\nfiles_to_inspect+=('/etc/audit/audit.rules')\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/sudoers.d/\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/sudoers.d/ $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/sudoers.d/$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/sudoers.d/ -p wa -k actions\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules\\t| Rule already defined\\t| Audit rules file to inspect\\t |\\n# -----------------------------------------------------------------------------------------\\n#\\tauditctl\\t\\t| Doesn't matter\\t| /etc/audit/audit.rules\\t |\\n# -----------------------------------------------------------------------------------------\\n# \\taugenrules\\t\\t| Yes\\t\\t| /etc/audit/rules.d/*.rules\\t |\\n# \\taugenrules\\t\\t| No\\t\\t| /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\nfiles_to_inspect=()\\n\\n# If the audit is 'augenrules', then check if rule is already defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.\\n# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection.\\nreadarray -t matches < <(grep -HP \\\"[\\\\s]*-w[\\\\s]+/etc/sudoers.d/\\\" /etc/audit/rules.d/*.rules)\\n\\n# For each of the matched entries\\nfor match in \\\"${matches[@]}\\\"\\ndo\\n # Extract filepath from the match\\n rulesd_audit_file=$(echo $match | cut -f1 -d ':')\\n # Append that path into list of files for inspection\\n files_to_inspect+=(\\\"$rulesd_audit_file\\\")\\ndone\\n# Case when particular audit rule isn't defined yet\\nif [ \\\"${#files_to_inspect[@]}\\\" -eq \\\"0\\\" ]\\nthen\\n # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection\\n key_rule_file=\\\"/etc/audit/rules.d/actions.rules\\\"\\n # If the actions.rules file doesn't exist yet, create it with correct permissions\\n if [ ! -e \\\"$key_rule_file\\\" ]\\n then\\n touch \\\"$key_rule_file\\\"\\n chmod 0640 \\\"$key_rule_file\\\"\\n fi\\n files_to_inspect+=(\\\"$key_rule_file\\\")\\nfi\\n\\n# Finally perform the inspection and possible subsequent audit rule\\n# correction for each of the files previously identified for inspection\\nfor audit_rules_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Check if audit watch file system object rule for given path already present\\n if grep -q -P -- \\\"^[\\\\s]*-w[\\\\s]+/etc/sudoers.d/\\\" \\\"$audit_rules_file\\\"\\n then\\n # Rule is found => verify yet if existing rule definition contains\\n # all of the required access type bits\\n\\n # Define BRE whitespace class shortcut\\n sp=\\\"[[:space:]]\\\"\\n # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule\\n current_access_bits=$(sed -ne \\\"s#$sp*-w$sp\\\\+/etc/sudoers.d/ $sp\\\\+-p$sp\\\\+\\\\([rxwa]\\\\{1,4\\\\}\\\\).*#\\\\1#p\\\" \\\"$audit_rules_file\\\")\\n # Split required access bits string into characters array\\n # (to check bit's presence for one bit at a time)\\n for access_bit in $(echo \\\"wa\\\" | grep -o .)\\n do\\n # For each from the required access bits (e.g. 'w', 'a') check\\n # if they are already present in current access bits for rule.\\n # If not, append that bit at the end\\n if ! grep -q \\\"$access_bit\\\" <<< \\\"$current_access_bits\\\"\\n then\\n # Concatenate the existing mask with the missing bit\\n current_access_bits=\\\"$current_access_bits$access_bit\\\"\\n fi\\n done\\n # Propagate the updated rule's access bits (original + the required\\n # ones) back into the /etc/audit/audit.rules file for that rule\\n sed -i \\\"s#\\\\($sp*-w$sp\\\\+/etc/sudoers.d/$sp\\\\+-p$sp\\\\+\\\\)\\\\([rxwa]\\\\{1,4\\\\}\\\\)\\\\(.*\\\\)#\\\\1$current_access_bits\\\\3#\\\" \\\"$audit_rules_file\\\"\\n else\\n # Rule isn't present yet. Append it at the end of $audit_rules_file file\\n # with proper key\\n\\n echo \\\"-w /etc/sudoers.d/ -p wa -k actions\\\" >> \\\"$audit_rules_file\\\"\\n fi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"audit_rules_sysadmin_actions\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: ^\\\\s*-w\\\\s+/etc/sudoers\\\\s+-p\\\\s+wa(\\\\s|$)+\\n patterns: '*.rules'\\n register: find_existing_watch_rules_d\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Search /etc/audit/rules.d for other rules with specified key actions\\n find:\\n paths: /etc/audit/rules.d\\n contains: ^.*(?:-F key=|-k\\\\s+)actions$\\n patterns: '*.rules'\\n register: find_watch_key\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched\\n == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule\\n set_fact:\\n all_files:\\n - /etc/audit/rules.d/actions.rules\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched\\n is defined and find_existing_watch_rules_d.matched == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Use matched file as the recipient for the rule\\n set_fact:\\n all_files:\\n - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched\\n is defined and find_existing_watch_rules_d.matched == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Add watch rule for /etc/sudoers in /etc/audit/rules.d/\\n lineinfile:\\n path: '{{ all_files[0] }}'\\n line: -w /etc/sudoers -p wa -k actions\\n create: true\\n mode: '0640'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched\\n == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit/\\n contains: ^\\\\s*-w\\\\s+/etc/sudoers\\\\s+-p\\\\s+wa(\\\\s|$)+\\n patterns: audit.rules\\n register: find_existing_watch_audit_rules\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Add watch rule for /etc/sudoers in /etc/audit/audit.rules\\n lineinfile:\\n line: -w /etc/sudoers -p wa -k actions\\n state: present\\n dest: /etc/audit/audit.rules\\n create: true\\n mode: '0640'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched\\n == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/rules.d/\\n find:\\n paths: /etc/audit/rules.d\\n contains: ^\\\\s*-w\\\\s+/etc/sudoers.d/\\\\s+-p\\\\s+wa(\\\\s|$)+\\n patterns: '*.rules'\\n register: find_existing_watch_rules_d\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Search /etc/audit/rules.d for other rules with specified key actions\\n find:\\n paths: /etc/audit/rules.d\\n contains: ^.*(?:-F key=|-k\\\\s+)actions$\\n patterns: '*.rules'\\n register: find_watch_key\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched\\n == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule\\n set_fact:\\n all_files:\\n - /etc/audit/rules.d/actions.rules\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched\\n is defined and find_existing_watch_rules_d.matched == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Use matched file as the recipient for the rule\\n set_fact:\\n all_files:\\n - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched\\n is defined and find_existing_watch_rules_d.matched == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/rules.d/\\n lineinfile:\\n path: '{{ all_files[0] }}'\\n line: -w /etc/sudoers.d/ -p wa -k actions\\n create: true\\n mode: '0640'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched\\n == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/audit.rules\\n find:\\n paths: /etc/audit/\\n contains: ^\\\\s*-w\\\\s+/etc/sudoers.d/\\\\s+-p\\\\s+wa(\\\\s|$)+\\n patterns: audit.rules\\n register: find_existing_watch_audit_rules\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/audit.rules\\n lineinfile:\\n line: -w /etc/sudoers.d/ -p wa -k actions\\n state: present\\n dest: /etc/audit/audit.rules\\n create: true\\n mode: '0640'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched\\n == 0\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.1.7\\n - NIST-800-53-AC-2(7)(b)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1.5\\n - PCI-DSS-Req-10.2.2\\n - PCI-DSS-Req-10.2.5.b\\n - audit_rules_sysadmin_actions\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"audit_rules_sysadmin_actions\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_sysadmin_actions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_sysadmin_actions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "At a minimum, the audit system should collect administrator actions\nfor all users and root. If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default),\nadd the following line to a file with suffixin the directory:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following line tofile:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000018",
+ "CCI-000130",
+ "CCI-000172",
+ "CCI-001403",
+ "CCI-002130"
+ ],
+ "nist": [
+ "AC-2 (4)",
+ "AU-3 a",
+ "AU-12 c",
+ "AU-2 d.",
+ "AU-12 c.",
+ "AC-6 (9)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectory, in order to capture events that modify\naccount changes:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, in order to capture events that modify\naccount changes:",
+ "group_id": "xccdf_org.ssgproject.content_group_auditd_configure_rules",
+ "group_title": "Configure auditd Rules for Comprehensive Auditing",
+ "group_description": "Theprogram can perform comprehensive\nmonitoring of system activity. This section describes recommended\nconfiguration settings for comprehensive auditing, but a full\ndescription of the auditing system's capabilities is beyond the\nscope of this guide. The mailing listexists\nto facilitate community discussion of the auditing system.The audit subsystem supports extensive collection of events, including:Auditing rules at startup are controlled by the file.\nAdd rules to it to meet the auditing requirements for your organization.\nEach line inrepresents a series of arguments\nthat can be passed toand can be individually tested\nduring runtime. See documentation inand\nin the related man pages for more details.If copying any example audit rulesets from,\nbe sure to comment out the\nlines containingwhich are not appropriate for your system's\narchitecture. Then review and understand the following rules,\nensuring rules are activated as needed for the appropriate\narchitecture.After reviewing all the rules, reading the following sections, and\nediting as needed, the new rules can be activated as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_usergroup_modification:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_usergroup_modification_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000018",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001403",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-004-6 R2.2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R.1.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-2(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(9)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.2.5",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000004-GPOS-00004",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00020",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000239-GPOS-00089",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000241-GPOS-00090",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000241-GPOS-00091",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000303-GPOS-00120",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000462-GPOS-00206",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000471-GPOS-00215",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000476-GPOS-00221",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000018",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001403",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R.1.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-2(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(9)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.2.5",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000004-GPOS-00004",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00020",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000239-GPOS-00089",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000241-GPOS-00090",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000241-GPOS-00091",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000303-GPOS-00120",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000462-GPOS-00206",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000471-GPOS-00215",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000476-GPOS-00221",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Events that Modify User/Group Information",
+ "id": "xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification",
+ "desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectory, in order to capture events that modify\naccount changes:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, in order to capture events that modify\naccount changes:",
+ "descriptions": [
+ {
+ "data": "In addition to auditing new user and group accounts, these watches\nwill alert the system administrator(s) to any modifications. Any unexpected\nusers, groups, or modifications should be investigated for legitimacy.",
+ "label": "rationale"
+ },
+ {
+ "data": "This rule checks for multiple syscalls related to account changes;\nit was written with DISA STIG in mind. Other policies should use a\nseparate rule for each syscall that needs to be checked. For example:",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Events that Modify User/Group Information\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"pre\": [\n \"-w /etc/group -p wa -k audit_rules_usergroup_modification\\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\",\n \"-w /etc/group -p wa -k audit_rules_usergroup_modification\\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\"\n ],\n \"br\": \"\",\n \"text\": \"If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\\ndefault), add the following lines to a file with suffixin the\\ndirectory, in order to capture events that modify\\naccount changes:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, in order to capture events that modify\\naccount changes:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"ul\": {\n \"li\": [\n {\n \"code\": \"audit_rules_usergroup_modification_group\"\n },\n {\n \"code\": \"audit_rules_usergroup_modification_gshadow\"\n },\n {\n \"code\": \"audit_rules_usergroup_modification_passwd\"\n }\n ]\n },\n \"text\": \"This rule checks for multiple syscalls related to account changes;\\nit was written with DISA STIG in mind. Other policies should use a\\nseparate rule for each syscall that needs to be checked. For example:\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000018\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001403\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R.1.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-2(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(9)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.2.5\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000004-GPOS-00004\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00020\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000239-GPOS-00089\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000241-GPOS-00090\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000241-GPOS-00091\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000303-GPOS-00120\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000462-GPOS-00206\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000471-GPOS-00215\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000476-GPOS-00221\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"In addition to auditing new user and group accounts, these watches\\nwill alert the system administrator(s) to any modifications. Any unexpected\\nusers, groups, or modifications should be investigated for legitimacy.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-audit_rules_usergroup_modification:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-audit_rules_usergroup_modification_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If thedaemon is configured to use theprogram to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffixin the\ndirectory, in order to capture events that modify\naccount changes:If thedaemon is configured to use theutility to read audit rules during daemon startup, add the following lines tofile, in order to capture events that modify\naccount changes:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "AU-2 d.",
+ "AU-12 c.",
+ "AC-6 (9)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "The audit system should collect access events to read audit log directory.\nThe following audit rule will assure that access to audit log directory are\ncollected.If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add the\nrule to a file with suffixin the directory.\nIf thedaemon is configured to use theutility to read audit rules during daemon startup, add the rule tofile.",
+ "group_id": "xccdf_org.ssgproject.content_group_auditd_configure_rules",
+ "group_title": "Configure auditd Rules for Comprehensive Auditing",
+ "group_description": "Theprogram can perform comprehensive\nmonitoring of system activity. This section describes recommended\nconfiguration settings for comprehensive auditing, but a full\ndescription of the auditing system's capabilities is beyond the\nscope of this guide. The mailing listexists\nto facilitate community discussion of the auditing system.The audit subsystem supports extensive collection of events, including:Auditing rules at startup are controlled by the file.\nAdd rules to it to meet the auditing requirements for your organization.\nEach line inrepresents a series of arguments\nthat can be passed toand can be individually tested\nduring runtime. See documentation inand\nin the related man pages for more details.If copying any example audit rulesets from,\nbe sure to comment out the\nlines containingwhich are not appropriate for your system's\narchitecture. Then review and understand the following rules,\nensuring rules are activated as needed for the appropriate\narchitecture.After reviewing all the rules, reading the following sections, and\nediting as needed, the new rules can be activated as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_directory_access_var_log_audit",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-directory_access_var_log_audit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-directory_access_var_log_audit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "directory_access_var_log_audit",
+ "reference": {
+ "references": [
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(9)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_directory_access_var_log_audit",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(9)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ }
+ ],
+ "source_location": {},
+ "title": "Record Access Events to Audit Log Directory",
+ "id": "xccdf_org.ssgproject.content_rule_directory_access_var_log_audit",
+ "desc": "The audit system should collect access events to read audit log directory.\nThe following audit rule will assure that access to audit log directory are\ncollected.If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add the\nrule to a file with suffixin the directory.\nIf thedaemon is configured to use theutility to read audit rules during daemon startup, add the rule tofile.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\nACTION_ARCH_FILTERS=\"-a always,exit\"\nOTHER_FILTERS=\"-F dir=/var/log/audit/ -F perm=r\"\nAUID_FILTERS=\"-F auid>=1000 -F auid!=unset\"\nSYSCALL=\"\"\nKEY=\"access-audit-trail\"\nSYSCALL_GROUPING=\"\"\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\nunset syscall_a\nunset syscall_grouping\nunset syscall_string\nunset syscall\nunset file_to_edit\nunset rule_to_edit\nunset rule_syscalls_to_edit\nunset other_string\nunset auid_string\nunset full_rule\n\n# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n# If audit tool is 'augenrules', then check if the audit rule is defined\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\ndefault_file=\"/etc/audit/rules.d/$KEY.rules\"\n# As other_filters may include paths, lets use a different delimiter for it\n# The \"F\" script expression tells sed to print the filenames where the expressions matched\nreadarray -t files_to_inspect < <(sed -s -n -e \"/^$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" -e \"F\" /etc/audit/rules.d/*.rules)\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\nif [ ${#files_to_inspect[@]} -eq \"0\" ]\nthen\n file_to_inspect=\"/etc/audit/rules.d/$KEY.rules\"\n files_to_inspect=(\"$file_to_inspect\")\n if [ ! -e \"$file_to_inspect\" ]\n then\n touch \"$file_to_inspect\"\n chmod 0640 \"$file_to_inspect\"\n fi\nfi\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/^$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/^$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\" || candidate_rules+=(\"$s_rule\")\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\" || {\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n }\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [ \"${#candidate_rules[@]}\" -gt 0 ]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [ \"${#syscall_a[@]}\" -gt 0 ]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\") || /bin/true\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\") || /bin/true\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\" || /bin/true\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\" || {\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n }\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\nunset syscall_a\nunset syscall_grouping\nunset syscall_string\nunset syscall\nunset file_to_edit\nunset rule_to_edit\nunset rule_syscalls_to_edit\nunset other_string\nunset auid_string\nunset full_rule\n\n# Load macro arguments into arrays\nread -a syscall_a <<< $SYSCALL\nread -a syscall_grouping <<< $SYSCALL_GROUPING\n\n# Create a list of audit *.rules files that should be inspected for presence and correctness\n# of a particular audit rule. The scheme is as follows:\n#\n# -----------------------------------------------------------------------------------------\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\n# -----------------------------------------------------------------------------------------\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\n# -----------------------------------------------------------------------------------------\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\n# augenrules | No | /etc/audit/rules.d/$key.rules |\n# -----------------------------------------------------------------------------------------\n#\nfiles_to_inspect=()\n\n\n\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\n# file to the list of files to be inspected\ndefault_file=\"/etc/audit/audit.rules\"\nfiles_to_inspect+=('/etc/audit/audit.rules' )\n\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\nskip=1\n\nfor audit_file in \"${files_to_inspect[@]}\"\ndo\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\n # i.e, collect rules that match:\n # * the action, list and arch, (2-nd argument)\n # * the other filters, (3-rd argument)\n # * the auid filters, (4-rd argument)\n readarray -t similar_rules < <(sed -e \"/^$ACTION_ARCH_FILTERS/!d\" -e \"\\#$OTHER_FILTERS#!d\" -e \"/$AUID_FILTERS/!d\" \"$audit_file\")\n\n candidate_rules=()\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\n for s_rule in \"${similar_rules[@]}\"\n do\n # Strip all the options and fields we know of,\n # than check if there was any field left over\n extra_fields=$(sed -E -e \"s/^$ACTION_ARCH_FILTERS//\" -e \"s#$OTHER_FILTERS##\" -e \"s/$AUID_FILTERS//\" -e \"s/((:?-S [[:alnum:],]+)+)//g\" -e \"s/-F key=\\w+|-k \\w+//\"<<< \"$s_rule\")\n grep -q -- \"-F\" <<< \"$extra_fields\" || candidate_rules+=(\"$s_rule\")\n done\n\n if [[ ${#syscall_a[@]} -ge 1 ]]\n then\n # Check if the syscall we want is present in any of the similar existing rules\n for rule in \"${candidate_rules[@]}\"\n do\n rule_syscalls=$(echo \"$rule\" | grep -o -P '(-S [\\w,]+)+' | xargs)\n all_syscalls_found=0\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"$rule_syscalls\" || {\n # A syscall was not found in the candidate rule\n all_syscalls_found=1\n }\n done\n if [[ $all_syscalls_found -eq 0 ]]\n then\n # We found a rule with all the syscall(s) we want; skip rest of macro\n skip=0\n break\n fi\n\n # Check if this rule can be grouped with our target syscall and keep track of it\n for syscall_g in \"${syscall_grouping[@]}\"\n do\n if grep -q -- \"\\b${syscall_g}\\b\" <<< \"$rule_syscalls\"\n then\n file_to_edit=${audit_file}\n rule_to_edit=${rule}\n rule_syscalls_to_edit=${rule_syscalls}\n fi\n done\n done\n else\n # If there is any candidate rule, it is compliant; skip rest of macro\n if [ \"${#candidate_rules[@]}\" -gt 0 ]\n then\n skip=0\n fi\n fi\n\n if [ \"$skip\" -eq 0 ]; then\n break\n fi\ndone\n\nif [ \"$skip\" -ne 0 ]; then\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\n # At this point we know if we need to either append the $full_rule or group\n # the syscall together with an exsiting rule\n\n # Append the full_rule if it cannot be grouped to any other rule\n if [ -z ${rule_to_edit+x} ]\n then\n # Build full_rule while avoid adding double spaces when other_filters is empty\n if [ \"${#syscall_a[@]}\" -gt 0 ]\n then\n syscall_string=\"\"\n for syscall in \"${syscall_a[@]}\"\n do\n syscall_string+=\" -S $syscall\"\n done\n fi\n other_string=$([[ $OTHER_FILTERS ]] && echo \" $OTHER_FILTERS\") || /bin/true\n auid_string=$([[ $AUID_FILTERS ]] && echo \" $AUID_FILTERS\") || /bin/true\n full_rule=\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\" || /bin/true\n echo \"$full_rule\" >> \"$default_file\"\n chmod o-rwx ${default_file}\n else\n # Check if the syscalls are declared as a comma separated list or\n # as multiple -S parameters\n if grep -q -- \",\" <<< \"${rule_syscalls_to_edit}\"\n then\n delimiter=\",\"\n else\n delimiter=\" -S \"\n fi\n new_grouped_syscalls=\"${rule_syscalls_to_edit}\"\n for syscall in \"${syscall_a[@]}\"\n do\n grep -q -- \"\\b${syscall}\\b\" <<< \"${rule_syscalls_to_edit}\" || {\n # A syscall was not found in the candidate rule\n new_grouped_syscalls+=\"${delimiter}${syscall}\"\n }\n done\n\n # Group the syscall in the rule\n sed -i -e \"\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\" \"$file_to_edit\"\n fi\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.\nAuditing these events could serve as evidence of potential system compromise.'",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Record Access Events to Audit Log Directory\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": \"-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail\",\n \"code\": [\n \"auditd\",\n \"augenrules\",\n \".rules\",\n \"/etc/audit/rules.d\",\n \"auditd\",\n \"auditctl\",\n \"/etc/audit/audit.rules\"\n ],\n \"text\": \"The audit system should collect access events to read audit log directory.\\nThe following audit rule will assure that access to audit log directory are\\ncollected.If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add the\\nrule to a file with suffixin the directory.\\nIf thedaemon is configured to use theutility to read audit rules during daemon startup, add the rule tofile.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(9)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n }\n ],\n \"rationale\": {\n \"text\": \"Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.\\nAuditing these events could serve as evidence of potential system compromise.'\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nACTION_ARCH_FILTERS=\\\"-a always,exit\\\"\\nOTHER_FILTERS=\\\"-F dir=/var/log/audit/ -F perm=r\\\"\\nAUID_FILTERS=\\\"-F auid>=1000 -F auid!=unset\\\"\\nSYSCALL=\\\"\\\"\\nKEY=\\\"access-audit-trail\\\"\\nSYSCALL_GROUPING=\\\"\\\"\\n# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'\\nunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n# If audit tool is 'augenrules', then check if the audit rule is defined\\n# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection\\n# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection\\ndefault_file=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n# As other_filters may include paths, lets use a different delimiter for it\\n# The \\\"F\\\" script expression tells sed to print the filenames where the expressions matched\\nreadarray -t files_to_inspect < <(sed -s -n -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" -e \\\"F\\\" /etc/audit/rules.d/*.rules)\\n# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet\\nif [ ${#files_to_inspect[@]} -eq \\\"0\\\" ]\\nthen\\n file_to_inspect=\\\"/etc/audit/rules.d/$KEY.rules\\\"\\n files_to_inspect=(\\\"$file_to_inspect\\\")\\n if [ ! -e \\\"$file_to_inspect\\\" ]\\n then\\n touch \\\"$file_to_inspect\\\"\\n chmod 0640 \\\"$file_to_inspect\\\"\\n fi\\nfi\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\nunset syscall_a\\nunset syscall_grouping\\nunset syscall_string\\nunset syscall\\nunset file_to_edit\\nunset rule_to_edit\\nunset rule_syscalls_to_edit\\nunset other_string\\nunset auid_string\\nunset full_rule\\n\\n# Load macro arguments into arrays\\nread -a syscall_a <<< $SYSCALL\\nread -a syscall_grouping <<< $SYSCALL_GROUPING\\n\\n# Create a list of audit *.rules files that should be inspected for presence and correctness\\n# of a particular audit rule. The scheme is as follows:\\n#\\n# -----------------------------------------------------------------------------------------\\n# Tool used to load audit rules | Rule already defined | Audit rules file to inspect |\\n# -----------------------------------------------------------------------------------------\\n# auditctl | Doesn't matter | /etc/audit/audit.rules |\\n# -----------------------------------------------------------------------------------------\\n# augenrules | Yes | /etc/audit/rules.d/*.rules |\\n# augenrules | No | /etc/audit/rules.d/$key.rules |\\n# -----------------------------------------------------------------------------------------\\n#\\nfiles_to_inspect=()\\n\\n\\n\\n# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'\\n# file to the list of files to be inspected\\ndefault_file=\\\"/etc/audit/audit.rules\\\"\\nfiles_to_inspect+=('/etc/audit/audit.rules' )\\n\\n# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead\\nskip=1\\n\\nfor audit_file in \\\"${files_to_inspect[@]}\\\"\\ndo\\n # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,\\n # i.e, collect rules that match:\\n # * the action, list and arch, (2-nd argument)\\n # * the other filters, (3-rd argument)\\n # * the auid filters, (4-rd argument)\\n readarray -t similar_rules < <(sed -e \\\"/^$ACTION_ARCH_FILTERS/!d\\\" -e \\\"\\\\#$OTHER_FILTERS#!d\\\" -e \\\"/$AUID_FILTERS/!d\\\" \\\"$audit_file\\\")\\n\\n candidate_rules=()\\n # Filter out rules that have more fields then required. This will remove rules more specific than the required scope\\n for s_rule in \\\"${similar_rules[@]}\\\"\\n do\\n # Strip all the options and fields we know of,\\n # than check if there was any field left over\\n extra_fields=$(sed -E -e \\\"s/^$ACTION_ARCH_FILTERS//\\\" -e \\\"s#$OTHER_FILTERS##\\\" -e \\\"s/$AUID_FILTERS//\\\" -e \\\"s/((:?-S [[:alnum:],]+)+)//g\\\" -e \\\"s/-F key=\\\\w+|-k \\\\w+//\\\"<<< \\\"$s_rule\\\")\\n grep -q -- \\\"-F\\\" <<< \\\"$extra_fields\\\" || candidate_rules+=(\\\"$s_rule\\\")\\n done\\n\\n if [[ ${#syscall_a[@]} -ge 1 ]]\\n then\\n # Check if the syscall we want is present in any of the similar existing rules\\n for rule in \\\"${candidate_rules[@]}\\\"\\n do\\n rule_syscalls=$(echo \\\"$rule\\\" | grep -o -P '(-S [\\\\w,]+)+' | xargs)\\n all_syscalls_found=0\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"$rule_syscalls\\\" || {\\n # A syscall was not found in the candidate rule\\n all_syscalls_found=1\\n }\\n done\\n if [[ $all_syscalls_found -eq 0 ]]\\n then\\n # We found a rule with all the syscall(s) we want; skip rest of macro\\n skip=0\\n break\\n fi\\n\\n # Check if this rule can be grouped with our target syscall and keep track of it\\n for syscall_g in \\\"${syscall_grouping[@]}\\\"\\n do\\n if grep -q -- \\\"\\\\b${syscall_g}\\\\b\\\" <<< \\\"$rule_syscalls\\\"\\n then\\n file_to_edit=${audit_file}\\n rule_to_edit=${rule}\\n rule_syscalls_to_edit=${rule_syscalls}\\n fi\\n done\\n done\\n else\\n # If there is any candidate rule, it is compliant; skip rest of macro\\n if [ \\\"${#candidate_rules[@]}\\\" -gt 0 ]\\n then\\n skip=0\\n fi\\n fi\\n\\n if [ \\\"$skip\\\" -eq 0 ]; then\\n break\\n fi\\ndone\\n\\nif [ \\\"$skip\\\" -ne 0 ]; then\\n # We checked all rules that matched the expected resemblance pattern (action, arch & auid)\\n # At this point we know if we need to either append the $full_rule or group\\n # the syscall together with an exsiting rule\\n\\n # Append the full_rule if it cannot be grouped to any other rule\\n if [ -z ${rule_to_edit+x} ]\\n then\\n # Build full_rule while avoid adding double spaces when other_filters is empty\\n if [ \\\"${#syscall_a[@]}\\\" -gt 0 ]\\n then\\n syscall_string=\\\"\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n syscall_string+=\\\" -S $syscall\\\"\\n done\\n fi\\n other_string=$([[ $OTHER_FILTERS ]] && echo \\\" $OTHER_FILTERS\\\") || /bin/true\\n auid_string=$([[ $AUID_FILTERS ]] && echo \\\" $AUID_FILTERS\\\") || /bin/true\\n full_rule=\\\"$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY\\\" || /bin/true\\n echo \\\"$full_rule\\\" >> \\\"$default_file\\\"\\n chmod o-rwx ${default_file}\\n else\\n # Check if the syscalls are declared as a comma separated list or\\n # as multiple -S parameters\\n if grep -q -- \\\",\\\" <<< \\\"${rule_syscalls_to_edit}\\\"\\n then\\n delimiter=\\\",\\\"\\n else\\n delimiter=\\\" -S \\\"\\n fi\\n new_grouped_syscalls=\\\"${rule_syscalls_to_edit}\\\"\\n for syscall in \\\"${syscall_a[@]}\\\"\\n do\\n grep -q -- \\\"\\\\b${syscall}\\\\b\\\" <<< \\\"${rule_syscalls_to_edit}\\\" || {\\n # A syscall was not found in the candidate rule\\n new_grouped_syscalls+=\\\"${delimiter}${syscall}\\\"\\n }\\n done\\n\\n # Group the syscall in the rule\\n sed -i -e \\\"\\\\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#\\\" \\\"$file_to_edit\\\"\\n fi\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"directory_access_var_log_audit\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-directory_access_var_log_audit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-directory_access_var_log_audit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_directory_access_var_log_audit\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The audit system should collect access events to read audit log directory.\nThe following audit rule will assure that access to audit log directory are\ncollected.If thedaemon is configured to use theprogram to read audit rules during daemon startup (the default), add the\nrule to a file with suffixin the directory.\nIf thedaemon is configured to use theutility to read audit rules during daemon startup, add the rule tofile.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000162",
+ "CCI-000163",
+ "CCI-000164"
+ ],
+ "nist": [
+ "AU-9 a",
+ "CM-6 a.",
+ "AC-6 (1)",
+ "AU-9"
+ ],
+ "severity": "medium",
+ "description": "Ifinis set to a group other than thegroup account, change the mode of the audit log files with the following command:Otherwise, change the mode of the audit log files with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_auditd_configure_rules",
+ "group_title": "Configure auditd Rules for Comprehensive Auditing",
+ "group_description": "Theprogram can perform comprehensive\nmonitoring of system activity. This section describes recommended\nconfiguration settings for comprehensive auditing, but a full\ndescription of the auditing system's capabilities is beyond the\nscope of this guide. The mailing listexists\nto facilitate community discussion of the auditing system.The audit subsystem supports extensive collection of events, including:Auditing rules at startup are controlled by the file.\nAdd rules to it to meet the auditing requirements for your organization.\nEach line inrepresents a series of arguments\nthat can be passed toand can be individually tested\nduring runtime. See documentation inand\nin the related man pages for more details.If copying any example audit rulesets from,\nbe sure to comment out the\nlines containingwhich are not appropriate for your system's\narchitecture. Then review and understand the following rules,\nensuring rules are activated as needed for the appropriate\narchitecture.After reviewing all the rules, reading the following sections, and\nediting as needed, the new rules can be activated as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-directory_permissions_var_log_audit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-directory_permissions_var_log_audit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "directory_permissions_var_log_audit",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000162",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000163",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000164",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R6.5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-9",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000057-GPOS-00027",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000058-GPOS-00028",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000059-GPOS-00029",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000162",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000163",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000164",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R6.5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-9",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000057-GPOS-00027",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000058-GPOS-00028",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000059-GPOS-00029",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "System Audit Logs Must Have Mode 0750 or Less Permissive",
+ "id": "xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit",
+ "desc": "Ifinis set to a group other than thegroup account, change the mode of the audit log files with the following command:Otherwise, change the mode of the audit log files with the following command:",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\nif LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then\n DIR=$(awk -F \"=\" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ' | rev | cut -d\"/\" -f2- | rev)\nelse\n DIR=\"/var/log/audit\"\nfi\n\n\nif LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then\n GROUP=$(awk -F \"=\" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')\n if ! [ \"${GROUP}\" == 'root' ] ; then\n chmod 0750 $DIR\n else\n chmod 0700 $DIR\n fi\nelse\n chmod 0700 $DIR\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "If users can write to audit logs, audit trails can be modified or destroyed.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"System Audit Logs Must Have Mode 0750 or Less Permissive\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"log_group\",\n \"/etc/audit/auditd.conf\",\n \"root\"\n ],\n \"pre\": [\n \"$ sudo chmod 0750 /var/log/audit\",\n \"$ sudo chmod 0700 /var/log/audit\"\n ],\n \"br\": \"\",\n \"text\": \"Ifinis set to a group other than thegroup account, change the mode of the audit log files with the following command:Otherwise, change the mode of the audit log files with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000162\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000163\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000164\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R6.5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-9\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000057-GPOS-00027\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000058-GPOS-00028\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000059-GPOS-00029\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"If users can write to audit logs, audit trails can be modified or destroyed.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nif LC_ALL=C grep -iw ^log_file /etc/audit/auditd.conf; then\\n DIR=$(awk -F \\\"=\\\" '/^log_file/ {print $2}' /etc/audit/auditd.conf | tr -d ' ' | rev | cut -d\\\"/\\\" -f2- | rev)\\nelse\\n DIR=\\\"/var/log/audit\\\"\\nfi\\n\\n\\nif LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then\\n GROUP=$(awk -F \\\"=\\\" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')\\n if ! [ \\\"${GROUP}\\\" == 'root' ] ; then\\n chmod 0750 $DIR\\n else\\n chmod 0700 $DIR\\n fi\\nelse\\n chmod 0700 $DIR\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"directory_permissions_var_log_audit\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-directory_permissions_var_log_audit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-directory_permissions_var_log_audit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Ifinis set to a group other than thegroup account, change the mode of the audit log files with the following command:Otherwise, change the mode of the audit log files with the following command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000171"
+ ],
+ "nist": [
+ "AU-12 b"
+ ],
+ "severity": "medium",
+ "description": "All audit configuration files must be owned by group root.",
+ "group_id": "xccdf_org.ssgproject.content_group_auditd_configure_rules",
+ "group_title": "Configure auditd Rules for Comprehensive Auditing",
+ "group_description": "Theprogram can perform comprehensive\nmonitoring of system activity. This section describes recommended\nconfiguration settings for comprehensive auditing, but a full\ndescription of the auditing system's capabilities is beyond the\nscope of this guide. The mailing listexists\nto facilitate community discussion of the auditing system.The audit subsystem supports extensive collection of events, including:Auditing rules at startup are controlled by the file.\nAdd rules to it to meet the auditing requirements for your organization.\nEach line inrepresents a series of arguments\nthat can be passed toand can be individually tested\nduring runtime. See documentation inand\nin the related man pages for more details.If copying any example audit rulesets from,\nbe sure to comment out the\nlines containingwhich are not appropriate for your system's\narchitecture. Then review and understand the following rules,\nensuring rules are activated as needed for the appropriate\narchitecture.After reviewing all the rules, reading the following sections, and\nediting as needed, the new rules can be activated as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupownership_audit_configuration:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupownership_audit_configuration_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000171",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000063-GPOS-00032",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000171",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000063-GPOS-00032",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Audit Configuration Files Must Be Owned By Group root",
+ "id": "xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration",
+ "desc": "All audit configuration files must be owned by group root.",
+ "descriptions": [
+ {
+ "data": "Without the capability to restrict which roles and individuals can\nselect which events are audited, unauthorized personnel may be able\nto prevent the auditing of critical events.\nMisconfigured audits may degrade the system's performance by\noverwhelming the audit log. Misconfigured audits may also make it more\ndifficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Audit Configuration Files Must Be Owned By Group root\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": \"chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*\",\n \"text\": \"All audit configuration files must be owned by group root.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000171\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000063-GPOS-00032\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Without the capability to restrict which roles and individuals can\\nselect which events are audited, unauthorized personnel may be able\\nto prevent the auditing of critical events.\\nMisconfigured audits may degrade the system's performance by\\noverwhelming the audit log. Misconfigured audits may also make it more\\ndifficult to establish, correlate, and investigate the events relating\\nto an incident or identify those responsible for one.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nfind /etc/audit/ -maxdepth 1 -type f ! -gid 0 -regex '^audit(\\\\.rules|d\\\\.conf)$' -exec chgrp 0 {} \\\\;\\n\\n\\nfind /etc/audit/rules.d/ -maxdepth 1 -type f ! -gid 0 -regex '^.*\\\\.rules$' -exec chgrp 0 {} \\\\;\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"file_groupownership_audit_configuration\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - configure_strategy\\n - file_groupownership_audit_configuration\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Find /etc/audit/ file(s) matching ^audit(\\\\.rules|d\\\\.conf)$\\n command: find -H /etc/audit/ -maxdepth 1 -type f ! -gid 0 -regex \\\"^audit(\\\\.rules|d\\\\.conf)$\\\"\\n register: files_found\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - configure_strategy\\n - file_groupownership_audit_configuration\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure group owner on /etc/audit/ file(s) matching ^audit(\\\\.rules|d\\\\.conf)$\\n file:\\n path: '{{ item }}'\\n group: '0'\\n state: file\\n with_items:\\n - '{{ files_found.stdout_lines }}'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - configure_strategy\\n - file_groupownership_audit_configuration\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Find /etc/audit/rules.d/ file(s) matching ^.*\\\\.rules$\\n command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -gid 0 -regex \\\"^.*\\\\.rules$\\\"\\n register: files_found\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - configure_strategy\\n - file_groupownership_audit_configuration\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure group owner on /etc/audit/rules.d/ file(s) matching ^.*\\\\.rules$\\n file:\\n path: '{{ item }}'\\n group: '0'\\n state: file\\n with_items:\\n - '{{ files_found.stdout_lines }}'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - configure_strategy\\n - file_groupownership_audit_configuration\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_groupownership_audit_configuration\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupownership_audit_configuration:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupownership_audit_configuration_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "All audit configuration files must be owned by group root.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000171"
+ ],
+ "nist": [
+ "AU-12 b"
+ ],
+ "severity": "medium",
+ "description": "All audit configuration files must be owned by root user.\n\nTo properly set the owner of, run the command:To properly set the owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_auditd_configure_rules",
+ "group_title": "Configure auditd Rules for Comprehensive Auditing",
+ "group_description": "Theprogram can perform comprehensive\nmonitoring of system activity. This section describes recommended\nconfiguration settings for comprehensive auditing, but a full\ndescription of the auditing system's capabilities is beyond the\nscope of this guide. The mailing listexists\nto facilitate community discussion of the auditing system.The audit subsystem supports extensive collection of events, including:Auditing rules at startup are controlled by the file.\nAdd rules to it to meet the auditing requirements for your organization.\nEach line inrepresents a series of arguments\nthat can be passed toand can be individually tested\nduring runtime. See documentation inand\nin the related man pages for more details.If copying any example audit rulesets from,\nbe sure to comment out the\nlines containingwhich are not appropriate for your system's\narchitecture. Then review and understand the following rules,\nensuring rules are activated as needed for the appropriate\narchitecture.After reviewing all the rules, reading the following sections, and\nediting as needed, the new rules can be activated as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_ownership_audit_configuration:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_ownership_audit_configuration_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000171",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000063-GPOS-00032",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000171",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000063-GPOS-00032",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Audit Configuration Files Must Be Owned By Root",
+ "id": "xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration",
+ "desc": "All audit configuration files must be owned by root user.\n\nTo properly set the owner of, run the command:To properly set the owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Without the capability to restrict which roles and individuals can\nselect which events are audited, unauthorized personnel may be able\nto prevent the auditing of critical events.\nMisconfigured audits may degrade the system's performance by\noverwhelming the audit log. Misconfigured audits may also make it more\ndifficult to establish, correlate, and investigate the events relating\nto an incident or identify those responsible for one.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Audit Configuration Files Must Be Owned By Root\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/audit/\",\n \"/etc/audit/rules.d/\"\n ],\n \"pre\": [\n \"$ sudo chown root /etc/audit/\",\n \"$ sudo chown root /etc/audit/rules.d/\"\n ],\n \"text\": \"All audit configuration files must be owned by root user.\\n\\nTo properly set the owner of, run the command:To properly set the owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000171\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000063-GPOS-00032\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Without the capability to restrict which roles and individuals can\\nselect which events are audited, unauthorized personnel may be able\\nto prevent the auditing of critical events.\\nMisconfigured audits may degrade the system's performance by\\noverwhelming the audit log. Misconfigured audits may also make it more\\ndifficult to establish, correlate, and investigate the events relating\\nto an incident or identify those responsible for one.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nfind /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regex '^audit(\\\\.rules|d\\\\.conf)$' -exec chown 0 {} \\\\;\\n\\nfind /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regex '^.*\\\\.rules$' -exec chown 0 {} \\\\;\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"file_ownership_audit_configuration\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - configure_strategy\\n - file_ownership_audit_configuration\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Find /etc/audit/ file(s) matching ^audit(\\\\.rules|d\\\\.conf)$\\n command: find -H /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regex \\\"^audit(\\\\.rules|d\\\\.conf)$\\\"\\n register: files_found\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - configure_strategy\\n - file_ownership_audit_configuration\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on /etc/audit/ file(s) matching ^audit(\\\\.rules|d\\\\.conf)$\\n file:\\n path: '{{ item }}'\\n owner: '0'\\n state: file\\n with_items:\\n - '{{ files_found.stdout_lines }}'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - configure_strategy\\n - file_ownership_audit_configuration\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Find /etc/audit/rules.d/ file(s) matching ^.*\\\\.rules$\\n command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regex \\\"^.*\\\\.rules$\\\"\\n register: files_found\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - configure_strategy\\n - file_ownership_audit_configuration\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on /etc/audit/rules.d/ file(s) matching ^.*\\\\.rules$\\n file:\\n path: '{{ item }}'\\n owner: '0'\\n state: file\\n with_items:\\n - '{{ files_found.stdout_lines }}'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - configure_strategy\\n - file_ownership_audit_configuration\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_ownership_audit_configuration\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_ownership_audit_configuration:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_ownership_audit_configuration_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "All audit configuration files must be owned by root user.\n\nTo properly set the owner of, run the command:To properly set the owner of, run the command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000162",
+ "CCI-000163",
+ "CCI-000164",
+ "CCI-001314"
+ ],
+ "nist": [
+ "AU-9 a",
+ "SI-11 b",
+ "CM-6 a.",
+ "AC-6 (1)",
+ "AU-9 (4)"
+ ],
+ "severity": "medium",
+ "description": "All audit logs must be owned by root user and group. By default, the path for audit log is.\n\nTo properly set the owner of, run the command:To properly set the owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_auditd_configure_rules",
+ "group_title": "Configure auditd Rules for Comprehensive Auditing",
+ "group_description": "Theprogram can perform comprehensive\nmonitoring of system activity. This section describes recommended\nconfiguration settings for comprehensive auditing, but a full\ndescription of the auditing system's capabilities is beyond the\nscope of this guide. The mailing listexists\nto facilitate community discussion of the auditing system.The audit subsystem supports extensive collection of events, including:Auditing rules at startup are controlled by the file.\nAdd rules to it to meet the auditing requirements for your organization.\nEach line inrepresents a series of arguments\nthat can be passed toand can be individually tested\nduring runtime. See documentation inand\nin the related man pages for more details.If copying any example audit rulesets from,\nbe sure to comment out the\nlines containingwhich are not appropriate for your system's\narchitecture. Then review and understand the following rules,\nensuring rules are activated as needed for the appropriate\narchitecture.After reviewing all the rules, reading the following sections, and\nediting as needed, the new rules can be activated as follows:",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_ownership_var_log_audit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "file_ownership_var_log_audit",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.3.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000162",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000163",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000164",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-9(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.5.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000057-GPOS-00027",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000058-GPOS-00028",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000059-GPOS-00029",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.3.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000162",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000163",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000164",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-9(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.5.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000057-GPOS-00027",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000058-GPOS-00028",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000059-GPOS-00029",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "System Audit Logs Must Be Owned By Root",
+ "id": "xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit",
+ "desc": "All audit logs must be owned by root user and group. By default, the path for audit log is.\n\nTo properly set the owner of, run the command:To properly set the owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\nif LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then\n GROUP=$(awk -F \"=\" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')\n if ! [ \"${GROUP}\" == 'root' ] ; then\n chown root:${GROUP} /var/log/audit\n chown root:${GROUP} /var/log/audit/audit.log*\n else\n chown root:root /var/log/audit\n chown root:root /var/log/audit/audit.log*\n fi\nelse\n chown root:root /var/log/audit\n chown root:root /var/log/audit/audit.log*\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Unauthorized disclosure of audit records can reveal system and configuration data to\nattackers, thus compromising its confidentiality.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"System Audit Logs Must Be Owned By Root\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n \"/var/log/audit/\",\n \"$ sudo chown root /var/log/audit\",\n \"$ sudo chown root /var/log/audit/*\"\n ],\n \"code\": [\n \"/var/log/audit\",\n \"/var/log/audit/*\"\n ],\n \"text\": \"All audit logs must be owned by root user and group. By default, the path for audit log is.\\n\\nTo properly set the owner of, run the command:To properly set the owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.3.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000162\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000163\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000164\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-9(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.5.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000057-GPOS-00027\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000058-GPOS-00028\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000059-GPOS-00029\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Unauthorized disclosure of audit records can reveal system and configuration data to\\nattackers, thus compromising its confidentiality.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nif LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then\\n GROUP=$(awk -F \\\"=\\\" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ')\\n if ! [ \\\"${GROUP}\\\" == 'root' ] ; then\\n chown root:${GROUP} /var/log/audit\\n chown root:${GROUP} /var/log/audit/audit.log*\\n else\\n chown root:root /var/log/audit\\n chown root:root /var/log/audit/audit.log*\\n fi\\nelse\\n chown root:root /var/log/audit\\n chown root:root /var/log/audit/audit.log*\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"file_ownership_var_log_audit\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_ownership_var_log_audit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "All audit logs must be owned by root user and group. By default, the path for audit log is.\n\nTo properly set the owner of, run the command:To properly set the owner of, run the command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000136"
+ ],
+ "nist": [
+ "AU-3 (2)",
+ "AU-4 (1)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To configure theservice to use theplug-in of theaudit event multiplexor, set\ntheline into.\nRestart theservice:",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_audispd_syslog_plugin_activated_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.3.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000136",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(B)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(6)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(8)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.314(a)(2)(i)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.314(a)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-4(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.5.3",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000479-GPOS-00224",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000342-GPOS-00133",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000051-VMM-000230",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000058-VMM-000270",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000059-VMM-000280",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000479-VMM-001990",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000479-VMM-001990",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.3.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000136",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(B)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(6)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(8)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.314(a)(2)(i)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.314(a)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-4(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.5.3",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000479-GPOS-00224",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000342-GPOS-00133",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000051-VMM-000230"
+ },
+ {
+ "ref": "SRG-OS-000058-VMM-000270"
+ },
+ {
+ "ref": "SRG-OS-000059-VMM-000280"
+ },
+ {
+ "ref": "SRG-OS-000479-VMM-001990"
+ },
+ {
+ "ref": "SRG-OS-000479-VMM-001990"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure auditd to use audispd's syslog plugin",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated",
+ "desc": "To configure theservice to use theplug-in of theaudit event multiplexor, set\ntheline into.\nRestart theservice:",
+ "descriptions": [
+ {
+ "data": "The auditd service does not include the ability to send audit\nrecords to a centralized server for management directly. It does, however,\ninclude a plug-in for audit event multiplexor (audispd) to pass audit records\nto the local syslog server.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure auditd to use audispd's syslog plugin\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"syslog\",\n \"audispd\",\n \"active\",\n \"/etc/audit/plugins.d/syslog.conf\",\n \"yes\",\n \"auditd\"\n ],\n \"pre\": \"$ sudo service auditd restart\",\n \"text\": \"To configure theservice to use theplug-in of theaudit event multiplexor, set\\ntheline into.\\nRestart theservice:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.3.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000136\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(B)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(6)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(8)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.314(a)(2)(i)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.314(a)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-4(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.5.3\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000479-GPOS-00224\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000342-GPOS-00133\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000051-VMM-000230\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000058-VMM-000270\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000059-VMM-000280\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000479-VMM-001990\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000479-VMM-001990\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The auditd service does not include the ability to send audit\\nrecords to a centralized server for management directly. It does, however,\\ninclude a plug-in for audit event multiplexor (audispd) to pass audit records\\nto the local syslog server.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nvar_syslog_active=\\\"yes\\\"\\n\\nAUDISP_SYSLOGCONFIG=/etc/audit/plugins.d/syslog.conf\\n\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"$AUDISP_SYSLOGCONFIG\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^active\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$var_syslog_active\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^active\\\\\\\\>\\\" \\\"$AUDISP_SYSLOGCONFIG\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^active\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"$AUDISP_SYSLOGCONFIG\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"$AUDISP_SYSLOGCONFIG\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"auditd_audispd_syslog_plugin_activated\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.3.1\\n - NIST-800-53-AU-4(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.3\\n - auditd_audispd_syslog_plugin_activated\\n - configure_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: enable syslog plugin\\n lineinfile:\\n dest: /etc/audit/plugins.d/syslog.conf\\n regexp: ^active\\n line: active = yes\\n create: true\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.3.1\\n - NIST-800-53-AU-4(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.5.3\\n - auditd_audispd_syslog_plugin_activated\\n - configure_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"auditd_audispd_syslog_plugin_activated\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_audispd_syslog_plugin_activated:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_audispd_syslog_plugin_activated_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure theservice to use theplug-in of theaudit event multiplexor, set\ntheline into.\nRestart theservice:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000140"
+ ],
+ "nist": [
+ "AU-5 b",
+ "AU-5 b.",
+ "AU-5 (2)",
+ "AU-5 (1)",
+ "AU-5 (4)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theservice can be configured to take an action\nwhen there is a disk error.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_disk_error_action:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_disk_error_action\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_disk_error_action:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI04.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000140",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.17.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-5(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000047-GPOS-00023",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Action for auditd to take when disk errors",
+ "lang": "en-US"
+ },
+ "description": "'The setting for disk_error_action in /etc/audit/auditd.conf, if multiple\nvalues are allowed write them separated by pipes as in \"syslog|single|halt\",\nfor remediations the first value will be taken'",
+ "value": [
+ "single",
+ {
+ "text": "exec",
+ "selector": "exec"
+ },
+ {
+ "text": "halt",
+ "selector": "halt"
+ },
+ {
+ "text": "single",
+ "selector": "single"
+ },
+ {
+ "text": "suspend",
+ "selector": "suspend"
+ },
+ {
+ "text": "syslog",
+ "selector": "syslog"
+ },
+ {
+ "text": "ignore",
+ "selector": "ignore"
+ },
+ {
+ "text": "syslog|single|halt",
+ "selector": "ol8"
+ },
+ {
+ "text": "syslog|single|halt",
+ "selector": "rhel8"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_auditd_disk_error_action",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI04.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000140",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.17.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-5(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000047-GPOS-00023",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure auditd Disk Error Action on Disk Error",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action",
+ "desc": "Theservice can be configured to take an action\nwhen there is a disk error.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "descriptions": [
+ {
+ "data": "Taking appropriate action in case of disk errors will minimize the possibility of\nlosing audit records.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure auditd Disk Error Action on Disk Error\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"/etc/audit/auditd.conf\",\n \"single\",\n \"syslog\",\n \"exec\",\n \"single\",\n \"halt\",\n \"auditd.conf\"\n ],\n \"i\": [\n \"ACTION\",\n \"ACTION\"\n ],\n \"pre\": {\n \"i\": \"ACTION\",\n \"text\": \"disk_error_action =\"\n },\n \"text\": \"Theservice can be configured to take an action\\nwhen there is a disk error.\\nEdit the file. Add or modify the following line,\\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\\noutweighs the need to log all actions, and a different setting should be\\ndetermined. Details regarding all possible values forare described in theman page.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI04.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000140\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.17.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-5(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000047-GPOS-00023\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Taking appropriate action in case of disk errors will minimize the possibility of\\nlosing audit records.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_disk_error_action:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_disk_error_action\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_disk_error_action:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice can be configured to take an action\nwhen there is a disk error.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000140"
+ ],
+ "nist": [
+ "AU-5 b",
+ "AU-5 b.",
+ "AU-5 (2)",
+ "AU-5 (1)",
+ "AU-5 (4)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theservice can be configured to take an action\nwhen there is a disk error.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_disk_error_action_stig:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_disk_error_action_stig_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI04.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000140",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.17.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-5(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000047-GPOS-00023",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI04.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000140",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.17.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-5(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000047-GPOS-00023",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure auditd Disk Error Action on Disk Error",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig",
+ "desc": "Theservice can be configured to take an action\nwhen there is a disk error.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "descriptions": [
+ {
+ "data": "Taking appropriate action in case of disk errors will minimize the possibility of\nlosing audit records.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure auditd Disk Error Action on Disk Error\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"/etc/audit/auditd.conf\",\n \"single\",\n \"syslog\",\n \"exec\",\n \"single\",\n \"halt\",\n \"auditd.conf\"\n ],\n \"i\": [\n \"ACTION\",\n \"ACTION\"\n ],\n \"pre\": {\n \"i\": \"ACTION\",\n \"text\": \"disk_error_action =\"\n },\n \"text\": \"Theservice can be configured to take an action\\nwhen there is a disk error.\\nEdit the file. Add or modify the following line,\\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\\noutweighs the need to log all actions, and a different setting should be\\ndetermined. Details regarding all possible values forare described in theman page.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI04.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000140\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.17.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-5(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000047-GPOS-00023\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Taking appropriate action in case of disk errors will minimize the possibility of\\nlosing audit records.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_disk_error_action_stig:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_disk_error_action_stig_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice can be configured to take an action\nwhen there is a disk error.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000140"
+ ],
+ "nist": [
+ "AU-5 b",
+ "AU-5 b.",
+ "AU-5 (2)",
+ "AU-5 (1)",
+ "AU-5 (4)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theservice can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_disk_full_action:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_disk_full_action\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_disk_full_action:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "auditd_data_disk_full_action",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI04.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000140",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.17.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-5(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000047-GPOS-00023",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Action for auditd to take when disk is full",
+ "lang": "en-US"
+ },
+ "description": "'The setting for disk_full_action in /etc/audit/auditd.conf, if multiple\nvalues are allowed write them separated by pipes as in \"syslog|single|halt\",\nfor remediations the first value will be taken'",
+ "value": [
+ "single",
+ {
+ "text": "exec",
+ "selector": "exec"
+ },
+ {
+ "text": "halt",
+ "selector": "halt"
+ },
+ {
+ "text": "single",
+ "selector": "single"
+ },
+ {
+ "text": "suspend",
+ "selector": "suspend"
+ },
+ {
+ "text": "syslog",
+ "selector": "syslog"
+ },
+ {
+ "text": "ignore",
+ "selector": "ignore"
+ },
+ {
+ "text": "rotate",
+ "selector": "rotate"
+ },
+ {
+ "text": "syslog|single|halt",
+ "selector": "ol8"
+ },
+ {
+ "text": "syslog|single|halt",
+ "selector": "rhel8"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_auditd_disk_full_action",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI04.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000140",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.17.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-5(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000047-GPOS-00023",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure auditd Disk Full Action when Disk Space Is Full",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action",
+ "desc": "Theservice can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\nvar_auditd_disk_full_action=''\n\n\nvar_auditd_disk_full_action=\"$(echo $var_auditd_disk_full_action | cut -d \\| -f 1)\"\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/audit/auditd.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^disk_full_action\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_auditd_disk_full_action\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^disk_full_action\\\\>\" \"/etc/audit/auditd.conf\"; then\n escaped_formatted_output=$(sed -e 's|/|\\\\/|g' <<< \"$formatted_output\")\n \"${sed_command[@]}\" \"s/^disk_full_action\\\\>.*/$escaped_formatted_output/gi\" \"/etc/audit/auditd.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n \n printf '%s\\n' \"$formatted_output\" >> \"/etc/audit/auditd.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Taking appropriate action in case of a filled audit storage volume will minimize\nthe possibility of losing audit records.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure auditd Disk Full Action when Disk Space Is Full\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"/etc/audit/auditd.conf\",\n \"single\",\n \"syslog\",\n \"exec\",\n \"single\",\n \"halt\",\n \"auditd.conf\"\n ],\n \"i\": [\n \"ACTION\",\n \"ACTION\"\n ],\n \"pre\": {\n \"i\": \"ACTION\",\n \"text\": \"disk_full_action =\"\n },\n \"text\": \"Theservice can be configured to take an action\\nwhen disk space is running low but prior to running out of space completely.\\nEdit the file. Add or modify the following line,\\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\\noutweighs the need to log all actions, and a different setting should be\\ndetermined. Details regarding all possible values forare described in theman page.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI04.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000140\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.17.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-5(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000047-GPOS-00023\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Taking appropriate action in case of a filled audit storage volume will minimize\\nthe possibility of losing audit records.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_disk_full_action\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nvar_auditd_disk_full_action=''\\n\\n\\nvar_auditd_disk_full_action=\\\"$(echo $var_auditd_disk_full_action | cut -d \\\\| -f 1)\\\"\\n\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/audit/auditd.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^disk_full_action\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$var_auditd_disk_full_action\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^disk_full_action\\\\\\\\>\\\" \\\"/etc/audit/auditd.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^disk_full_action\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/audit/auditd.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/audit/auditd.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"auditd_data_disk_full_action\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_disk_full_action:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_disk_full_action\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_disk_full_action:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000140"
+ ],
+ "nist": [
+ "AU-5 b",
+ "AU-5 b.",
+ "AU-5 (2)",
+ "AU-5 (1)",
+ "AU-5 (4)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theservice can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_disk_full_action_stig:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_disk_full_action_stig_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "auditd_data_disk_full_action_stig",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI04.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000140",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.17.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-5(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000047-GPOS-00023",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI04.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000140",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.17.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-5(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000047-GPOS-00023",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure auditd Disk Full Action when Disk Space Is Full",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig",
+ "desc": "Theservice can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\nvar_auditd_disk_full_action=''\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/audit/auditd.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^disk_full_action\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_auditd_disk_full_action\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^disk_full_action\\\\>\" \"/etc/audit/auditd.conf\"; then\n escaped_formatted_output=$(sed -e 's|/|\\\\/|g' <<< \"$formatted_output\")\n \"${sed_command[@]}\" \"s/^disk_full_action\\\\>.*/$escaped_formatted_output/gi\" \"/etc/audit/auditd.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n \n printf '%s\\n' \"$formatted_output\" >> \"/etc/audit/auditd.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Taking appropriate action in case of a filled audit storage volume will minimize\nthe possibility of losing audit records.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure auditd Disk Full Action when Disk Space Is Full\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"/etc/audit/auditd.conf\",\n \"single\",\n \"syslog\",\n \"single\",\n \"halt\",\n \"auditd.conf\"\n ],\n \"i\": [\n \"ACTION\",\n \"ACTION\"\n ],\n \"pre\": {\n \"i\": \"ACTION\",\n \"text\": \"disk_full_action =\"\n },\n \"text\": \"Theservice can be configured to take an action\\nwhen disk space is running low but prior to running out of space completely.\\nEdit the file. Add or modify the following line,\\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\\nmode for corrective action. Acceptable values also include,, and. For certain systems, the need for availability\\noutweighs the need to log all actions, and a different setting should be\\ndetermined. Details regarding all possible values forare described in theman page.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI04.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000140\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.17.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-5(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000047-GPOS-00023\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Taking appropriate action in case of a filled audit storage volume will minimize\\nthe possibility of losing audit records.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_disk_full_action\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nvar_auditd_disk_full_action=''\\n\\n\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/audit/auditd.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^disk_full_action\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$var_auditd_disk_full_action\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^disk_full_action\\\\\\\\>\\\" \\\"/etc/audit/auditd.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^disk_full_action\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/audit/auditd.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/audit/auditd.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"auditd_data_disk_full_action_stig\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_disk_full_action_stig:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_disk_full_action_stig_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single-user\nmode for corrective action. Acceptable values also include,, and. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000139",
+ "CCI-001855"
+ ],
+ "nist": [
+ "AU-5 a",
+ "AU-5 (1)",
+ "IA-5 (1)",
+ "AU-5 a.",
+ "AU-5 (2)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theservice can be configured to send email to\na designated account in certain situations. Add or correct the following line\ninto ensure that administrators are notified\nvia email for those situations:",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_action_mail_acct:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_action_mail_acct:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_action_mail_acct_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "auditd_data_retention_action_mail_acct",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI04.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.3.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000139",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001855",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.312(a)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.17.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R1.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "IA-5(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.7.a",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000046-GPOS-00022",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000343-GPOS-00134",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000046-VMM-000210",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000343-VMM-001240",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Account for auditd to send email when actions occurs",
+ "lang": "en-US"
+ },
+ "description": "The setting for action_mail_acct in /etc/audit/auditd.conf",
+ "value": [
+ {
+ "text": "admin",
+ "selector": "admin"
+ },
+ "root",
+ {
+ "text": "root",
+ "selector": "root"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI04.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.3.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000139",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001855",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.312(a)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.17.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R1.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "IA-5(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.7.a",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000046-GPOS-00022",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000343-GPOS-00134",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000046-VMM-000210"
+ },
+ {
+ "ref": "SRG-OS-000343-VMM-001240"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure auditd mail_acct Action on Low Disk Space",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct",
+ "desc": "Theservice can be configured to send email to\na designated account in certain situations. Add or correct the following line\ninto ensure that administrators are notified\nvia email for those situations:",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\nvar_auditd_action_mail_acct=''\n\n\nAUDITCONFIG=/etc/audit/auditd.conf\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"$AUDITCONFIG\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^action_mail_acct\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_auditd_action_mail_acct\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^action_mail_acct\\\\>\" \"$AUDITCONFIG\"; then\n escaped_formatted_output=$(sed -e 's|/|\\\\/|g' <<< \"$formatted_output\")\n \"${sed_command[@]}\" \"s/^action_mail_acct\\\\>.*/$escaped_formatted_output/gi\" \"$AUDITCONFIG\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n \n printf '%s\\n' \"$formatted_output\" >> \"$AUDITCONFIG\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Email sent to the root account is typically aliased to the\nadministrators of the system, who can take appropriate action.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Configure auditd mail_acct Action on Low Disk Space\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"/etc/audit/auditd.conf\"\n ],\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct\",\n \"use\": \"legacy\"\n },\n \"text\": \"action_mail_acct =\"\n },\n \"text\": \"Theservice can be configured to send email to\\na designated account in certain situations. Add or correct the following line\\ninto ensure that administrators are notified\\nvia email for those situations:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI04.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.3.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000139\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001855\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.312(a)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.17.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R1.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"IA-5(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.7.a\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000046-GPOS-00022\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000343-GPOS-00134\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000046-VMM-000210\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000343-VMM-001240\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Email sent to the root account is typically aliased to the\\nadministrators of the system, who can take appropriate action.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nvar_auditd_action_mail_acct=''\\n\\n\\nAUDITCONFIG=/etc/audit/auditd.conf\\n\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"$AUDITCONFIG\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^action_mail_acct\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$var_auditd_action_mail_acct\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^action_mail_acct\\\\\\\\>\\\" \\\"$AUDITCONFIG\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^action_mail_acct\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"$AUDITCONFIG\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"$AUDITCONFIG\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"auditd_data_retention_action_mail_acct\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_action_mail_acct:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_action_mail_acct:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_action_mail_acct_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice can be configured to send email to\na designated account in certain situations. Add or correct the following line\ninto ensure that administrators are notified\nvia email for those situations:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000140",
+ "CCI-001343",
+ "CCI-001855"
+ ],
+ "nist": [
+ "AU-5 b",
+ "AU-5 (4)",
+ "AU-5 (1)",
+ "AU-5 b.",
+ "AU-5 (2)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theservice can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single user\nmode for corrective action. Acceptable values also includeand. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_admin_space_left_action:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_admin_space_left_action:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_admin_space_left_action_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "auditd_data_retention_admin_space_left_action",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI04.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.3.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000140",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001343",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001855",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.312(a)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.17.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-5(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.7",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000343-GPOS-00134",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Action for auditd to take when disk space is low",
+ "lang": "en-US"
+ },
+ "description": "The setting for admin_space_left_action in /etc/audit/auditd.conf",
+ "value": [
+ "single",
+ {
+ "text": "email",
+ "selector": "email"
+ },
+ {
+ "text": "exec",
+ "selector": "exec"
+ },
+ {
+ "text": "halt",
+ "selector": "halt"
+ },
+ {
+ "text": "single",
+ "selector": "single"
+ },
+ {
+ "text": "suspend",
+ "selector": "suspend"
+ },
+ {
+ "text": "syslog",
+ "selector": "syslog"
+ },
+ {
+ "text": "rotate",
+ "selector": "rotate"
+ },
+ {
+ "text": "ignore",
+ "selector": "ignore"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI04.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.3.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000140",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001343",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001855",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.312(a)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.17.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-5(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.7",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000343-GPOS-00134",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure auditd admin_space_left Action on Low Disk Space",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action",
+ "desc": "Theservice can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single user\nmode for corrective action. Acceptable values also includeand. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\nvar_auditd_admin_space_left_action=''\n\n\nAUDITCONFIG=/etc/audit/auditd.conf\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"$AUDITCONFIG\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^admin_space_left_action\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_auditd_admin_space_left_action\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^admin_space_left_action\\\\>\" \"$AUDITCONFIG\"; then\n escaped_formatted_output=$(sed -e 's|/|\\\\/|g' <<< \"$formatted_output\")\n \"${sed_command[@]}\" \"s/^admin_space_left_action\\\\>.*/$escaped_formatted_output/gi\" \"$AUDITCONFIG\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n \n printf '%s\\n' \"$formatted_output\" >> \"$AUDITCONFIG\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Administrators should be made aware of an inability to record\naudit records. If a separate partition or logical volume of adequate size\nis used, running low on space for audit records should never occur.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Configure auditd admin_space_left Action on Low Disk Space\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"/etc/audit/auditd.conf\",\n \"single\",\n \"suspend\",\n \"halt\",\n \"auditd.conf\"\n ],\n \"i\": [\n \"ACTION\",\n \"ACTION\"\n ],\n \"pre\": {\n \"i\": \"ACTION\",\n \"text\": \"admin_space_left_action =\"\n },\n \"text\": \"Theservice can be configured to take an action\\nwhen disk space is running low but prior to running out of space completely.\\nEdit the file. Add or modify the following line,\\nsubstitutingappropriately:Set this value toto cause the system to switch to single user\\nmode for corrective action. Acceptable values also includeand. For certain systems, the need for availability\\noutweighs the need to log all actions, and a different setting should be\\ndetermined. Details regarding all possible values forare described in theman page.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI04.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.3.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000140\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001343\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001855\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.312(a)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.17.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-5(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.7\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000343-GPOS-00134\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Administrators should be made aware of an inability to record\\naudit records. If a separate partition or logical volume of adequate size\\nis used, running low on space for audit records should never occur.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nvar_auditd_admin_space_left_action=''\\n\\n\\nAUDITCONFIG=/etc/audit/auditd.conf\\n\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"$AUDITCONFIG\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^admin_space_left_action\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$var_auditd_admin_space_left_action\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^admin_space_left_action\\\\\\\\>\\\" \\\"$AUDITCONFIG\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^admin_space_left_action\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"$AUDITCONFIG\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"$AUDITCONFIG\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"auditd_data_retention_admin_space_left_action\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_admin_space_left_action:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_admin_space_left_action:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_admin_space_left_action_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file. Add or modify the following line,\nsubstitutingappropriately:Set this value toto cause the system to switch to single user\nmode for corrective action. Acceptable values also includeand. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values forare described in theman page.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "AU-11",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Determine the amount of audit data (in megabytes)\nwhich should be retained in each log file. Edit the file. Add or modify the following line, substituting\nthe correct value offor:Set the value to(MB) or higher for general-purpose systems.\nLarger values, of course,\nsupport retention of even more audit data.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_max_log_file:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_max_log_file\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_max_log_file:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_max_log_file_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "auditd_data_retention_max_log_file",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R6.5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AU-11",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.7",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Maximum audit log file size for auditd",
+ "lang": "en-US"
+ },
+ "description": "The setting for max_log_file in /etc/audit/auditd.conf",
+ "value": [
+ {
+ "text": "1",
+ "selector": "1"
+ },
+ {
+ "text": "10",
+ "selector": "10"
+ },
+ {
+ "text": "20",
+ "selector": "20"
+ },
+ {
+ "text": "5",
+ "selector": "5"
+ },
+ {
+ "text": "6",
+ "selector": "6"
+ },
+ "6"
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_auditd_max_log_file",
+ "type": "number"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R6.5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AU-11",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.7",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure auditd Max Log File Size",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file",
+ "desc": "Determine the amount of audit data (in megabytes)\nwhich should be retained in each log file. Edit the file. Add or modify the following line, substituting\nthe correct value offor:Set the value to(MB) or higher for general-purpose systems.\nLarger values, of course,\nsupport retention of even more audit data.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\nvar_auditd_max_log_file=''\n\n\nAUDITCONFIG=/etc/audit/auditd.conf\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"$AUDITCONFIG\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^max_log_file\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_auditd_max_log_file\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^max_log_file\\\\>\" \"$AUDITCONFIG\"; then\n escaped_formatted_output=$(sed -e 's|/|\\\\/|g' <<< \"$formatted_output\")\n \"${sed_command[@]}\" \"s/^max_log_file\\\\>.*/$escaped_formatted_output/gi\" \"$AUDITCONFIG\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n \n printf '%s\\n' \"$formatted_output\" >> \"$AUDITCONFIG\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum\nlog file size and the number of logs retained.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Configure auditd Max Log File Size\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/audit/auditd.conf\",\n \"6\"\n ],\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_max_log_file\",\n \"use\": \"legacy\"\n },\n \"i\": \"STOREMB\",\n \"pre\": {\n \"i\": \"STOREMB\",\n \"text\": \"max_log_file =\"\n },\n \"text\": \"Determine the amount of audit data (in megabytes)\\nwhich should be retained in each log file. Edit the file. Add or modify the following line, substituting\\nthe correct value offor:Set the value to(MB) or higher for general-purpose systems.\\nLarger values, of course,\\nsupport retention of even more audit data.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R6.5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AU-11\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.7\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"The total storage for audit log files must be large enough to retain\\nlog information over the period required. This is a function of the maximum\\nlog file size and the number of logs retained.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_max_log_file\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nvar_auditd_max_log_file=''\\n\\n\\nAUDITCONFIG=/etc/audit/auditd.conf\\n\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"$AUDITCONFIG\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^max_log_file\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$var_auditd_max_log_file\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^max_log_file\\\\\\\\>\\\" \\\"$AUDITCONFIG\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^max_log_file\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"$AUDITCONFIG\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"$AUDITCONFIG\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"auditd_data_retention_max_log_file\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_max_log_file:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_max_log_file\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_max_log_file:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_max_log_file_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Determine the amount of audit data (in megabytes)\nwhich should be retained in each log file. Edit the file. Add or modify the following line, substituting\nthe correct value offor:Set the value to(MB) or higher for general-purpose systems.\nLarger values, of course,\nsupport retention of even more audit data.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000140"
+ ],
+ "nist": [
+ "AU-5 b",
+ "AU-5 b.",
+ "AU-5 (2)",
+ "AU-5 (1)",
+ "AU-5 (4)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "The default action to take when the logs reach their maximum size\nis to rotate the log files, discarding the oldest one. To configure the action taken\nby, add or correct the line in:Possible values forare described in theman\npage. These include:Set thetoto ensure log rotation\noccurs. This is the default. The setting is case-insensitive.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_max_log_file_action:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_max_log_file_action\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_max_log_file_action:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "auditd_data_retention_max_log_file_action",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI04.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000140",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.312(a)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.17.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-5(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.7",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000047-GPOS-00023",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Action for auditd to take when log files reach their maximum size",
+ "lang": "en-US"
+ },
+ "description": "The setting for max_log_file_action in /etc/audit/auditd.conf. The following options are available:ignore - audit daemon does nothing.syslog - audit daemon will issue a warning to syslog.suspend - audit daemon will stop writing records to the disk.rotate - audit daemon will rotate logs in the same convention used by logrotate.keep_logs - similar to rotate but prevents audit logs to be overwritten. May trigger space_left_action if volume is full.",
+ "value": [
+ "rotate",
+ {
+ "text": "keep_logs",
+ "selector": "keep_logs"
+ },
+ {
+ "text": "rotate",
+ "selector": "rotate"
+ },
+ {
+ "text": "suspend",
+ "selector": "suspend"
+ },
+ {
+ "text": "syslog",
+ "selector": "syslog"
+ },
+ {
+ "text": "ignore",
+ "selector": "ignore"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_auditd_max_log_file_action",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI04.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000140",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.312(a)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.17.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-5(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.7",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000047-GPOS-00023",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure auditd max_log_file_action Upon Reaching Maximum Log Size",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action",
+ "desc": "The default action to take when the logs reach their maximum size\nis to rotate the log files, discarding the oldest one. To configure the action taken\nby, add or correct the line in:Possible values forare described in theman\npage. These include:Set thetoto ensure log rotation\noccurs. This is the default. The setting is case-insensitive.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\nvar_auditd_max_log_file_action=''\n\n\nAUDITCONFIG=/etc/audit/auditd.conf\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"$AUDITCONFIG\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^max_log_file_action\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_auditd_max_log_file_action\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^max_log_file_action\\\\>\" \"$AUDITCONFIG\"; then\n escaped_formatted_output=$(sed -e 's|/|\\\\/|g' <<< \"$formatted_output\")\n \"${sed_command[@]}\" \"s/^max_log_file_action\\\\>.*/$escaped_formatted_output/gi\" \"$AUDITCONFIG\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n \n printf '%s\\n' \"$formatted_output\" >> \"$AUDITCONFIG\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Automatically rotating logs (by setting this to)\nminimizes the chances of the system unexpectedly running out of disk space by\nbeing overwhelmed with log data. However, for systems that must never discard\nlog data, or which use external processes to transfer it and reclaim space,can be employed.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Configure auditd max_log_file_action Upon Reaching Maximum Log Size\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"/etc/audit/auditd.conf\",\n \"auditd.conf\",\n {\n \"i\": \"ACTION\"\n },\n \"rotate\"\n ],\n \"pre\": {\n \"i\": \"ACTION\",\n \"text\": \"max_log_file_action =\"\n },\n \"i\": \"ACTION\",\n \"ul\": {\n \"li\": [\n {\n \"code\": \"ignore\"\n },\n {\n \"code\": \"syslog\"\n },\n {\n \"code\": \"suspend\"\n },\n {\n \"code\": \"rotate\"\n },\n {\n \"code\": \"keep_logs\"\n }\n ]\n },\n \"text\": \"The default action to take when the logs reach their maximum size\\nis to rotate the log files, discarding the oldest one. To configure the action taken\\nby, add or correct the line in:Possible values forare described in theman\\npage. These include:Set thetoto ensure log rotation\\noccurs. This is the default. The setting is case-insensitive.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI04.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000140\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.312(a)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.17.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-5(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.7\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000047-GPOS-00023\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"rotate\",\n \"keep_logs\"\n ],\n \"text\": \"Automatically rotating logs (by setting this to)\\nminimizes the chances of the system unexpectedly running out of disk space by\\nbeing overwhelmed with log data. However, for systems that must never discard\\nlog data, or which use external processes to transfer it and reclaim space,can be employed.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_max_log_file_action\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nvar_auditd_max_log_file_action=''\\n\\n\\nAUDITCONFIG=/etc/audit/auditd.conf\\n\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"$AUDITCONFIG\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^max_log_file_action\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$var_auditd_max_log_file_action\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^max_log_file_action\\\\\\\\>\\\" \\\"$AUDITCONFIG\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^max_log_file_action\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"$AUDITCONFIG\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"$AUDITCONFIG\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"auditd_data_retention_max_log_file_action\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_max_log_file_action:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_max_log_file_action\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_max_log_file_action:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The default action to take when the logs reach their maximum size\nis to rotate the log files, discarding the oldest one. To configure the action taken\nby, add or correct the line in:Possible values forare described in theman\npage. These include:Set thetoto ensure log rotation\noccurs. This is the default. The setting is case-insensitive.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000140"
+ ],
+ "nist": [
+ "AU-5 b",
+ "AU-5 b.",
+ "AU-5 (2)",
+ "AU-5 (1)",
+ "AU-5 (4)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "The default action to take when the logs reach their maximum size\nis to rotate the log files, discarding the oldest one. To configure the action taken\nby, add or correct the line in:Possible values forare described in theman\npage. These include:Set thetoto ensure log rotation\noccurs. This is the default. The setting is case-insensitive.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_max_log_file_action_stig:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_max_log_file_action_stig_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI04.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000140",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.312(a)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.17.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-5(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.7",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000047-GPOS-00023",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI04.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000140",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.312(a)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.17.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-5(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.7",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000047-GPOS-00023",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure auditd max_log_file_action Upon Reaching Maximum Log Size",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig",
+ "desc": "The default action to take when the logs reach their maximum size\nis to rotate the log files, discarding the oldest one. To configure the action taken\nby, add or correct the line in:Possible values forare described in theman\npage. These include:Set thetoto ensure log rotation\noccurs. This is the default. The setting is case-insensitive.",
+ "descriptions": [
+ {
+ "data": "Automatically rotating logs (by setting this to)\nminimizes the chances of the system unexpectedly running out of disk space by\nbeing overwhelmed with log data. However, for systems that must never discard\nlog data, or which use external processes to transfer it and reclaim space,can be employed.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure auditd max_log_file_action Upon Reaching Maximum Log Size\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"/etc/audit/auditd.conf\",\n \"auditd.conf\",\n {\n \"i\": \"ACTION\"\n },\n \"rotate\"\n ],\n \"pre\": {\n \"i\": \"ACTION\",\n \"text\": \"max_log_file_action =\"\n },\n \"i\": \"ACTION\",\n \"ul\": {\n \"li\": [\n {\n \"code\": \"ignore\"\n },\n {\n \"code\": \"syslog\"\n },\n {\n \"code\": \"suspend\"\n },\n {\n \"code\": \"rotate\"\n },\n {\n \"code\": \"keep_logs\"\n }\n ]\n },\n \"text\": \"The default action to take when the logs reach their maximum size\\nis to rotate the log files, discarding the oldest one. To configure the action taken\\nby, add or correct the line in:Possible values forare described in theman\\npage. These include:Set thetoto ensure log rotation\\noccurs. This is the default. The setting is case-insensitive.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI04.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000140\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.312(a)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.17.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-5(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.7\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000047-GPOS-00023\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"rotate\",\n \"keep_logs\"\n ],\n \"text\": \"Automatically rotating logs (by setting this to)\\nminimizes the chances of the system unexpectedly running out of disk space by\\nbeing overwhelmed with log data. However, for systems that must never discard\\nlog data, or which use external processes to transfer it and reclaim space,can be employed.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_max_log_file_action_stig:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_max_log_file_action_stig_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The default action to take when the logs reach their maximum size\nis to rotate the log files, discarding the oldest one. To configure the action taken\nby, add or correct the line in:Possible values forare described in theman\npage. These include:Set thetoto ensure log rotation\noccurs. This is the default. The setting is case-insensitive.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "AU-11",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Determine how many log filesshould retain when it rotates logs.\nEdit the file. Add or modify the following\nline, substitutingwith the correct value of:Set the value to 5 for general-purpose systems.\nNote that values less than 2 result in no log rotation.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_num_logs:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_num_logs\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_num_logs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_num_logs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "auditd_data_retention_num_logs",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.3.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R6.5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AU-11",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.7",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Number of log files for auditd to retain",
+ "lang": "en-US"
+ },
+ "description": "The setting for num_logs in /etc/audit/auditd.conf",
+ "value": [
+ {
+ "text": "0",
+ "selector": "0"
+ },
+ {
+ "text": "1",
+ "selector": "1"
+ },
+ {
+ "text": "2",
+ "selector": "2"
+ },
+ {
+ "text": "3",
+ "selector": "3"
+ },
+ {
+ "text": "4",
+ "selector": "4"
+ },
+ {
+ "text": "5",
+ "selector": "5"
+ },
+ {
+ "text": "10",
+ "selector": "10"
+ },
+ {
+ "text": "20",
+ "selector": "20"
+ },
+ {
+ "text": "50",
+ "selector": "50"
+ },
+ {
+ "text": "100",
+ "selector": "100"
+ },
+ "5"
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_auditd_num_logs",
+ "type": "number"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.3.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R6.5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AU-11",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.7",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure auditd Number of Logs Retained",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs",
+ "desc": "Determine how many log filesshould retain when it rotates logs.\nEdit the file. Add or modify the following\nline, substitutingwith the correct value of:Set the value to 5 for general-purpose systems.\nNote that values less than 2 result in no log rotation.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\nvar_auditd_num_logs=''\n\n\nAUDITCONFIG=/etc/audit/auditd.conf\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"$AUDITCONFIG\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^num_logs\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_auditd_num_logs\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^num_logs\\\\>\" \"$AUDITCONFIG\"; then\n escaped_formatted_output=$(sed -e 's|/|\\\\/|g' <<< \"$formatted_output\")\n \"${sed_command[@]}\" \"s/^num_logs\\\\>.*/$escaped_formatted_output/gi\" \"$AUDITCONFIG\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n \n printf '%s\\n' \"$formatted_output\" >> \"$AUDITCONFIG\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "The total storage for audit log files must be large enough to retain\nlog information over the period required. This is a function of the maximum log\nfile size and the number of logs retained.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure auditd Number of Logs Retained\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"/etc/audit/auditd.conf\"\n ],\n \"i\": \"NUMLOGS\",\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_num_logs\",\n \"use\": \"legacy\"\n },\n \"pre\": {\n \"i\": \"NUMLOGS\",\n \"text\": \"num_logs =\"\n },\n \"text\": \"Determine how many log filesshould retain when it rotates logs.\\nEdit the file. Add or modify the following\\nline, substitutingwith the correct value of:Set the value to 5 for general-purpose systems.\\nNote that values less than 2 result in no log rotation.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.3.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R6.5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AU-11\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.7\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"The total storage for audit log files must be large enough to retain\\nlog information over the period required. This is a function of the maximum log\\nfile size and the number of logs retained.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_num_logs\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nvar_auditd_num_logs=''\\n\\n\\nAUDITCONFIG=/etc/audit/auditd.conf\\n\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"$AUDITCONFIG\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^num_logs\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$var_auditd_num_logs\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^num_logs\\\\\\\\>\\\" \\\"$AUDITCONFIG\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^num_logs\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"$AUDITCONFIG\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"$AUDITCONFIG\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"auditd_data_retention_num_logs\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_num_logs:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_num_logs\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_num_logs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_num_logs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Determine how many log filesshould retain when it rotates logs.\nEdit the file. Add or modify the following\nline, substitutingwith the correct value of:Set the value to 5 for general-purpose systems.\nNote that values less than 2 result in no log rotation.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001855"
+ ],
+ "nist": [
+ "AU-5 (1)",
+ "AU-5 b.",
+ "AU-5 (2)",
+ "AU-5 (4)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theservice can be configured to take an action\nwhen disk spaceto run low.\nEdit the file. Modify the following line,\nsubstitutingappropriately:Possible values forare described in theman page.\nThese include:Set this to(instead of the default,\nwhich is) as it is more likely to get prompt attention. Acceptable values\nalso include,, and.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_space_left_action:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_space_left_action\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_space_left_action:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_space_left_action_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "auditd_data_retention_space_left_action",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI04.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.3.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-001855",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.312(a)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.17.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AU-5(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.7",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000343-GPOS-00134",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000343-VMM-001240",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Action for auditd to take when disk space just starts to run low",
+ "lang": "en-US"
+ },
+ "description": "The setting for space_left_action in /etc/audit/auditd.conf",
+ "value": [
+ "email",
+ {
+ "text": "email",
+ "selector": "email"
+ },
+ {
+ "text": "exec",
+ "selector": "exec"
+ },
+ {
+ "text": "halt",
+ "selector": "halt"
+ },
+ {
+ "text": "single",
+ "selector": "single"
+ },
+ {
+ "text": "suspend",
+ "selector": "suspend"
+ },
+ {
+ "text": "syslog",
+ "selector": "syslog"
+ },
+ {
+ "text": "rotate",
+ "selector": "rotate"
+ },
+ {
+ "text": "ignore",
+ "selector": "ignore"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_auditd_space_left_action",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI04.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.3.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-001855",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.312(a)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.17.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AU-5(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.7",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000343-GPOS-00134",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000343-VMM-001240"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure auditd space_left Action on Low Disk Space",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action",
+ "desc": "Theservice can be configured to take an action\nwhen disk spaceto run low.\nEdit the file. Modify the following line,\nsubstitutingappropriately:Possible values forare described in theman page.\nThese include:Set this to(instead of the default,\nwhich is) as it is more likely to get prompt attention. Acceptable values\nalso include,, and.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\n' 'auditd' 2>/dev/null | grep -q installed; then\n\nvar_auditd_space_left_action=''\n\n\n#\n# If space_left_action present in /etc/audit/auditd.conf, change value\n# to var_auditd_space_left_action, else\n# add \"space_left_action = $var_auditd_space_left_action\" to /etc/audit/auditd.conf\n#\n\nAUDITCONFIG=/etc/audit/auditd.conf\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"$AUDITCONFIG\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^space_left_action\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s = %s\" \"$stripped_key\" \"$var_auditd_space_left_action\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^space_left_action\\\\>\" \"$AUDITCONFIG\"; then\n escaped_formatted_output=$(sed -e 's|/|\\\\/|g' <<< \"$formatted_output\")\n \"${sed_command[@]}\" \"s/^space_left_action\\\\>.*/$escaped_formatted_output/gi\" \"$AUDITCONFIG\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n \n printf '%s\\n' \"$formatted_output\" >> \"$AUDITCONFIG\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Notifying administrators of an impending disk space problem may\nallow them to take corrective action prior to any disruption.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Configure auditd space_left Action on Low Disk Space\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"/etc/audit/auditd.conf\",\n \"auditd.conf\",\n \"email\",\n \"suspend\",\n \"suspend\",\n \"single\",\n \"halt\"\n ],\n \"i\": [\n \"starts\",\n \"ACTION\",\n \"ACTION\"\n ],\n \"pre\": {\n \"i\": \"ACTION\",\n \"text\": \"space_left_action =\"\n },\n \"ul\": {\n \"li\": [\n {\n \"code\": \"syslog\"\n },\n {\n \"code\": \"email\"\n },\n {\n \"code\": \"exec\"\n },\n {\n \"code\": \"suspend\"\n },\n {\n \"code\": \"single\"\n },\n {\n \"code\": \"halt\"\n }\n ]\n },\n \"text\": \"Theservice can be configured to take an action\\nwhen disk spaceto run low.\\nEdit the file. Modify the following line,\\nsubstitutingappropriately:Possible values forare described in theman page.\\nThese include:Set this to(instead of the default,\\nwhich is) as it is more likely to get prompt attention. Acceptable values\\nalso include,, and.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI04.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.3.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-001855\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.312(a)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.17.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AU-5(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.7\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000343-GPOS-00134\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000343-VMM-001240\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Notifying administrators of an impending disk space problem may\\nallow them to take corrective action prior to any disruption.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_space_left_action\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nvar_auditd_space_left_action=''\\n\\n\\n#\\n# If space_left_action present in /etc/audit/auditd.conf, change value\\n# to var_auditd_space_left_action, else\\n# add \\\"space_left_action = $var_auditd_space_left_action\\\" to /etc/audit/auditd.conf\\n#\\n\\nAUDITCONFIG=/etc/audit/auditd.conf\\n\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"$AUDITCONFIG\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^space_left_action\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$var_auditd_space_left_action\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^space_left_action\\\\\\\\>\\\" \\\"$AUDITCONFIG\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^space_left_action\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"$AUDITCONFIG\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"$AUDITCONFIG\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"auditd_data_retention_space_left_action\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_auditd_space_left_action:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_auditd_space_left_action\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_data_retention_space_left_action:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_data_retention_space_left_action_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice can be configured to take an action\nwhen disk spaceto run low.\nEdit the file. Modify the following line,\nsubstitutingappropriately:Possible values forare described in theman page.\nThese include:Set this to(instead of the default,\nwhich is) as it is more likely to get prompt attention. Acceptable values\nalso include,, and.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6"
+ ],
+ "severity": "medium",
+ "description": "To configure Audit daemon to issue an explicit flush to disk command\nafter writingrecords, settoin.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_freq",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_freq:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_freq_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CM-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "FAU_GEN.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000051-GPOS-00024",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_freq",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CM-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000051-GPOS-00024",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Set number of records to cause an explicit flush to audit logs",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_freq",
+ "desc": "To configure Audit daemon to issue an explicit flush to disk command\nafter writingrecords, settoin.",
+ "descriptions": [
+ {
+ "data": "If optionisn't set to, the flush to disk\nmay happen after higher number of records, increasing the danger\nof audit loss.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set number of records to cause an explicit flush to audit logs\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_freq\",\n \"use\": \"legacy\"\n },\n \"code\": [\n \"freq\",\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_freq\",\n \"use\": \"legacy\"\n }\n },\n \"/etc/audit/auditd.conf\"\n ],\n \"text\": \"To configure Audit daemon to issue an explicit flush to disk command\\nafter writingrecords, settoin.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CM-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000051-GPOS-00024\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"freq\",\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_auditd_freq\",\n \"use\": \"legacy\"\n }\n }\n ],\n \"text\": \"If optionisn't set to, the flush to disk\\nmay happen after higher number of records, increasing the danger\\nof audit loss.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nif [ -e \\\"/etc/audit/auditd.conf\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*freq\\\\s*=\\\\s*/Id\\\" \\\"/etc/audit/auditd.conf\\\"\\nelse\\n touch \\\"/etc/audit/auditd.conf\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/audit/auditd.conf\\\"\\n\\ncp \\\"/etc/audit/auditd.conf\\\" \\\"/etc/audit/auditd.conf.bak\\\"\\n# Insert at the end of the file\\nprintf '%s\\\\n' \\\"freq = 50\\\" >> \\\"/etc/audit/auditd.conf\\\"\\n# Clean up after ourselves.\\nrm \\\"/etc/audit/auditd.conf.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"auditd_freq\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-53-CM-6\\n - auditd_freq\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Set number of records to cause an explicit flush to audit logs\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/audit/auditd.conf\\n create: false\\n regexp: (?i)^\\\\s*freq\\\\s*=\\\\s*\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/audit/auditd.conf\\n lineinfile:\\n path: /etc/audit/auditd.conf\\n create: false\\n regexp: (?i)^\\\\s*freq\\\\s*=\\\\s*\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/audit/auditd.conf\\n lineinfile:\\n path: /etc/audit/auditd.conf\\n create: true\\n regexp: (?i)^\\\\s*freq\\\\s*=\\\\s*\\n line: freq = 50\\n state: present\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6\\n - auditd_freq\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"auditd_freq\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_freq:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_freq_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_freq\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure Audit daemon to issue an explicit flush to disk command\nafter writingrecords, settoin.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6"
+ ],
+ "severity": "medium",
+ "description": "To configure Audit daemon to include local events in Audit logs, settoin.\nThis is the default setting.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_local_events",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_local_events:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_local_events_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CM-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "FAU_GEN.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_local_events",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CM-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Include Local Events in Audit Logs",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_local_events",
+ "desc": "To configure Audit daemon to include local events in Audit logs, settoin.\nThis is the default setting.",
+ "descriptions": [
+ {
+ "data": "If optionisn't set toonly events from\nnetwork will be aggregated.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Include Local Events in Audit Logs\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"local_events\",\n \"yes\",\n \"/etc/audit/auditd.conf\"\n ],\n \"text\": \"To configure Audit daemon to include local events in Audit logs, settoin.\\nThis is the default setting.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CM-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"local_events\",\n \"yes\"\n ],\n \"text\": \"If optionisn't set toonly events from\\nnetwork will be aggregated.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nif [ -e \\\"/etc/audit/auditd.conf\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*local_events\\\\s*=\\\\s*/Id\\\" \\\"/etc/audit/auditd.conf\\\"\\nelse\\n touch \\\"/etc/audit/auditd.conf\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/audit/auditd.conf\\\"\\n\\ncp \\\"/etc/audit/auditd.conf\\\" \\\"/etc/audit/auditd.conf.bak\\\"\\n# Insert at the end of the file\\nprintf '%s\\\\n' \\\"local_events = yes\\\" >> \\\"/etc/audit/auditd.conf\\\"\\n# Clean up after ourselves.\\nrm \\\"/etc/audit/auditd.conf.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"auditd_local_events\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-53-CM-6\\n - auditd_local_events\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Include Local Events in Audit Logs\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/audit/auditd.conf\\n create: false\\n regexp: (?i)^\\\\s*local_events\\\\s*=\\\\s*\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/audit/auditd.conf\\n lineinfile:\\n path: /etc/audit/auditd.conf\\n create: false\\n regexp: (?i)^\\\\s*local_events\\\\s*=\\\\s*\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/audit/auditd.conf\\n lineinfile:\\n path: /etc/audit/auditd.conf\\n create: true\\n regexp: (?i)^\\\\s*local_events\\\\s*=\\\\s*\\n line: local_events = yes\\n state: present\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6\\n - auditd_local_events\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"auditd_local_events\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_local_events:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_local_events_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_local_events\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure Audit daemon to include local events in Audit logs, settoin.\nThis is the default setting.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6",
+ "AU-3"
+ ],
+ "severity": "low",
+ "description": "To configure Audit daemon to resolve all uid, gid, syscall,\narchitecture, and socket address information before writing the\nevents to disk, settoin.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_log_format",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_log_format:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_log_format_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CM-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-3",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.2",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000255-GPOS-00096",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_log_format",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CM-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-3",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.2",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000255-GPOS-00096",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Resolve information before writing to audit logs",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_log_format",
+ "desc": "To configure Audit daemon to resolve all uid, gid, syscall,\narchitecture, and socket address information before writing the\nevents to disk, settoin.",
+ "descriptions": [
+ {
+ "data": "If optionisn't set to, the\naudit records will be stored in a format exactly as the kernel sends them.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Resolve information before writing to audit logs\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"log_format\",\n \"ENRICHED\",\n \"/etc/audit/auditd.conf\"\n ],\n \"text\": \"To configure Audit daemon to resolve all uid, gid, syscall,\\narchitecture, and socket address information before writing the\\nevents to disk, settoin.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CM-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-3\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.2\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000255-GPOS-00096\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"log_format\",\n \"ENRICHED\"\n ],\n \"text\": \"If optionisn't set to, the\\naudit records will be stored in a format exactly as the kernel sends them.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nif [ -e \\\"/etc/audit/auditd.conf\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*log_format\\\\s*=\\\\s*/Id\\\" \\\"/etc/audit/auditd.conf\\\"\\nelse\\n touch \\\"/etc/audit/auditd.conf\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/audit/auditd.conf\\\"\\n\\ncp \\\"/etc/audit/auditd.conf\\\" \\\"/etc/audit/auditd.conf.bak\\\"\\n# Insert at the end of the file\\nprintf '%s\\\\n' \\\"log_format = ENRICHED\\\" >> \\\"/etc/audit/auditd.conf\\\"\\n# Clean up after ourselves.\\nrm \\\"/etc/audit/auditd.conf.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"auditd_log_format\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-53-AU-3\\n - NIST-800-53-CM-6\\n - auditd_log_format\\n - low_complexity\\n - low_disruption\\n - low_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Resolve information before writing to audit logs\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/audit/auditd.conf\\n create: false\\n regexp: (?i)^\\\\s*log_format\\\\s*=\\\\s*\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/audit/auditd.conf\\n lineinfile:\\n path: /etc/audit/auditd.conf\\n create: false\\n regexp: (?i)^\\\\s*log_format\\\\s*=\\\\s*\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/audit/auditd.conf\\n lineinfile:\\n path: /etc/audit/auditd.conf\\n create: true\\n regexp: (?i)^\\\\s*log_format\\\\s*=\\\\s*\\n line: log_format = ENRICHED\\n state: present\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AU-3\\n - NIST-800-53-CM-6\\n - auditd_log_format\\n - low_complexity\\n - low_disruption\\n - low_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"auditd_log_format\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_log_format:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_log_format_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_log_format\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure Audit daemon to resolve all uid, gid, syscall,\narchitecture, and socket address information before writing the\nevents to disk, settoin.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001851"
+ ],
+ "nist": [
+ "AU-4 (1)",
+ "CM-6",
+ "AU-3"
+ ],
+ "severity": "medium",
+ "description": "To configure Audit daemon to use value returned by gethostname\nsyscall as computer node name in the audit events,\nsettoin.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_name_format",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_name_format:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_name_format_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001851",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CM-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-3",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.2",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000039-GPOS-00017",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000342-GPOS-00133",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000479-GPOS-00224",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_name_format",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001851",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CM-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-3",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.2",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000039-GPOS-00017",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000342-GPOS-00133",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000479-GPOS-00224",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Set hostname as computer node name in audit logs",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_name_format",
+ "desc": "To configure Audit daemon to use value returned by gethostname\nsyscall as computer node name in the audit events,\nsettoin.",
+ "descriptions": [
+ {
+ "data": "If optionis left at its default value of, audit events from different computers may be hard\nto distinguish.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set hostname as computer node name in audit logs\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"name_format\",\n \"hostname\",\n \"/etc/audit/auditd.conf\"\n ],\n \"text\": \"To configure Audit daemon to use value returned by gethostname\\nsyscall as computer node name in the audit events,\\nsettoin.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001851\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CM-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-3\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.2\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000039-GPOS-00017\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000342-GPOS-00133\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000479-GPOS-00224\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"name_format\",\n \"none\"\n ],\n \"text\": \"If optionis left at its default value of, audit events from different computers may be hard\\nto distinguish.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_name_format:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_name_format_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_name_format\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure Audit daemon to use value returned by gethostname\nsyscall as computer node name in the audit events,\nsettoin.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001851"
+ ],
+ "nist": [
+ "AU-4 (1)"
+ ],
+ "severity": "medium",
+ "description": "The audit system should have an action setup in the event the internal event queue becomes full.\nTo setup an overflow action edit. Setto one of the following values:,,.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_overflow_action",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_overflow_action:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_overflow_action_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001851",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AU-4(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000342-GPOS-00133",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000479-GPOS-00224",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_overflow_action",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001851",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AU-4(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000342-GPOS-00133",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000479-GPOS-00224",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Appropriate Action Must be Setup When the Internal Audit Event Queue is Full",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_overflow_action",
+ "desc": "The audit system should have an action setup in the event the internal event queue becomes full.\nTo setup an overflow action edit. Setto one of the following values:,,.",
+ "descriptions": [
+ {
+ "data": "The audit system should have an action setup in the event the internal event queue becomes full\nso that no data is lost.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Appropriate Action Must be Setup When the Internal Audit Event Queue is Full\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/audit/auditd.conf\",\n \"overflow_action\",\n \"syslog\",\n \"single\",\n \"halt\"\n ],\n \"text\": \"The audit system should have an action setup in the event the internal event queue becomes full.\\nTo setup an overflow action edit. Setto one of the following values:,,.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001851\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AU-4(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000342-GPOS-00133\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000479-GPOS-00224\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"The audit system should have an action setup in the event the internal event queue becomes full\\nso that no data is lost.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_overflow_action:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_overflow_action_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_overflow_action\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The audit system should have an action setup in the event the internal event queue becomes full.\nTo setup an overflow action edit. Setto one of the following values:,,.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6"
+ ],
+ "severity": "medium",
+ "description": "To configure Audit daemon to write Audit logs to the disk, settoin.\nThis is the default setting.",
+ "group_id": "xccdf_org.ssgproject.content_group_configure_auditd_data_retention",
+ "group_title": "Configure auditd Data Retention",
+ "group_description": "The audit system writes data to. By default,rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.Using a dedicated partition forprevents thelogs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity infrom filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, thencan be configured to halt the machine\nif it runs out of space.Since older logs are rotated,\nconfiguringthis way does not prevent older logs from being\nrotated away before they can be viewed.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_auditd_write_logs",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_write_logs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_write_logs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CM-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "FAU_STG.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_auditd_write_logs",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CM-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "FAU_STG.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Write Audit Logs to the Disk",
+ "id": "xccdf_org.ssgproject.content_rule_auditd_write_logs",
+ "desc": "To configure Audit daemon to write Audit logs to the disk, settoin.\nThis is the default setting.",
+ "descriptions": [
+ {
+ "data": "Ifisn't set to, the Audit logs will\nnot be written to the disk.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Write Audit Logs to the Disk\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"write_logs\",\n \"yes\",\n \"/etc/audit/auditd.conf\"\n ],\n \"text\": \"To configure Audit daemon to write Audit logs to the disk, settoin.\\nThis is the default setting.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CM-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"FAU_STG.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"write_logs\",\n \"yes\"\n ],\n \"text\": \"Ifisn't set to, the Audit logs will\\nnot be written to the disk.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; then\\n\\nif [ -e \\\"/etc/audit/auditd.conf\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*write_logs\\\\s*=\\\\s*/Id\\\" \\\"/etc/audit/auditd.conf\\\"\\nelse\\n touch \\\"/etc/audit/auditd.conf\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/audit/auditd.conf\\\"\\n\\ncp \\\"/etc/audit/auditd.conf\\\" \\\"/etc/audit/auditd.conf.bak\\\"\\n# Insert at the end of the file\\nprintf '%s\\\\n' \\\"write_logs = yes\\\" >> \\\"/etc/audit/auditd.conf\\\"\\n# Clean up after ourselves.\\nrm \\\"/etc/audit/auditd.conf.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"auditd_write_logs\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-53-CM-6\\n - auditd_write_logs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n\\n- name: Write Audit Logs to the Disk\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/audit/auditd.conf\\n create: false\\n regexp: (?i)^\\\\s*write_logs\\\\s*=\\\\s*\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/audit/auditd.conf\\n lineinfile:\\n path: /etc/audit/auditd.conf\\n create: false\\n regexp: (?i)^\\\\s*write_logs\\\\s*=\\\\s*\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/audit/auditd.conf\\n lineinfile:\\n path: /etc/audit/auditd.conf\\n create: true\\n regexp: (?i)^\\\\s*write_logs\\\\s*=\\\\s*\\n line: write_logs = yes\\n state: present\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6\\n - auditd_write_logs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"auditd_write_logs\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-auditd_write_logs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-auditd_write_logs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_auditd_write_logs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure Audit daemon to write Audit logs to the disk, settoin.\nThis is the default setting.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001851"
+ ],
+ "nist": [
+ "AU-4 (1)"
+ ],
+ "severity": "medium",
+ "description": "The audit-audispd-plugins package should be installed.",
+ "group_id": "xccdf_org.ssgproject.content_group_auditing",
+ "group_title": "System Accounting with auditd",
+ "group_description": "The audit service provides substantial capabilities\nfor recording system activities. By default, the service audits about\nSELinux AVC denials and certain types of security-relevant events\nsuch as system logins, account modifications, and authentication\nevents performed by programs such as sudo.\nUnder its default configuration,has modest disk space\nrequirements, and should not noticeably impact system performance.NOTE: The Linux Audit daemoncan be configured to use\ntheprogram to read audit rules files ()\nlocated inlocation and compile them to create\nthe resulting form of theconfiguration file\nduring the daemon startup (default configuration). Alternatively, thedaemon can use theutility to read audit rules from theconfiguration file during daemon startup,\nand load them into the kernel. The expected behavior is configured via the\nappropriatedirective setting in theconfiguration file.\nTo instruct thedaemon to use theprogram\nto read audit rules (default configuration), use the following setting:in theconfiguration file.\nIn order to instruct thedaemon to use theutility to read audit rules, use the following setting:in theconfiguration file.\nRefer tosection of theconfiguration file for further details.Government networks often have substantial auditing\nrequirements andcan be configured to meet these\nrequirements.\nExamining some example audit records demonstrates how the Linux audit system\nsatisfies common requirements.\nThe following example from Red Hat Enterprise Linux 7 Documentation available atshows the substantial amount of information captured in a\ntwo typical \"raw\" audit messages, followed by a breakdown of the most important\nfields. In this example the message is SELinux-related and reports an AVC\ndenial (and the associated system call) that occurred when the Apache HTTP\nServer attempted to access thefile (labeled with\nthetype):",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_audit-audispd-plugins_installed",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_audit-audispd-plugins_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_audit-audispd-plugins_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001851",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "Req-10.5.3",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000342-GPOS-00133",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_audit-audispd-plugins_installed",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001851",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "Req-10.5.3",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000342-GPOS-00133",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure the default plugins for the audit dispatcher are Installed",
+ "id": "xccdf_org.ssgproject.content_rule_package_audit-audispd-plugins_installed",
+ "desc": "The audit-audispd-plugins package should be installed.",
+ "descriptions": [
+ {
+ "data": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure the default plugins for the audit dispatcher are Installed\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"The audit-audispd-plugins package should be installed.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001851\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"Req-10.5.3\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000342-GPOS-00133\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nDEBIAN_FRONTEND=noninteractive apt-get install -y \\\"audispd-plugins\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"package_audit-audispd-plugins_installed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Ensure audispd-plugins is installed\\n package:\\n name: audispd-plugins\\n state: present\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - PCI-DSS-Req-10.5.3\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - package_audit-audispd-plugins_installed\",\n \"id\": \"package_audit-audispd-plugins_installed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include install_audispd-plugins\\n\\nclass install_audispd-plugins {\\n package { 'audispd-plugins':\\n ensure => 'installed',\\n }\\n}\",\n \"id\": \"package_audit-audispd-plugins_installed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[[packages]]\\nname = \\\"audispd-plugins\\\"\\nversion = \\\"*\\\"\",\n \"id\": \"package_audit-audispd-plugins_installed\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_audit-audispd-plugins_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_audit-audispd-plugins_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_package_audit-audispd-plugins_installed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The audit-audispd-plugins package should be installed.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000130",
+ "CCI-000131",
+ "CCI-000132",
+ "CCI-000133",
+ "CCI-000134",
+ "CCI-000135",
+ "CCI-000154",
+ "CCI-000158",
+ "CCI-000172",
+ "CCI-001464",
+ "CCI-001487",
+ "CCI-001814",
+ "CCI-001875",
+ "CCI-001876",
+ "CCI-001877",
+ "CCI-001878",
+ "CCI-001879",
+ "CCI-001880",
+ "CCI-001881",
+ "CCI-001882",
+ "CCI-001889",
+ "CCI-001914",
+ "CCI-002884",
+ "CCI-000169"
+ ],
+ "nist": [
+ "AU-3 a",
+ "AU-3 b",
+ "AU-3 c",
+ "AU-3 d",
+ "AU-3 e",
+ "AU-3 (1)",
+ "AU-6 (4)",
+ "AU-7 (1)",
+ "AU-12 c",
+ "AU-14 (1)",
+ "AU-3 f",
+ "CM-5 (1)",
+ "AU-7 a",
+ "AU-7 b",
+ "AU-8 b",
+ "AU-12 (3)",
+ "MA-4 (1) (a)",
+ "AU-12 a",
+ "AC-7 a.",
+ "AU-7 (2)",
+ "AU-14",
+ "AU-12 (2)",
+ "AU-2 a.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "The audit package should be installed.",
+ "group_id": "xccdf_org.ssgproject.content_group_auditing",
+ "group_title": "System Accounting with auditd",
+ "group_description": "The audit service provides substantial capabilities\nfor recording system activities. By default, the service audits about\nSELinux AVC denials and certain types of security-relevant events\nsuch as system logins, account modifications, and authentication\nevents performed by programs such as sudo.\nUnder its default configuration,has modest disk space\nrequirements, and should not noticeably impact system performance.NOTE: The Linux Audit daemoncan be configured to use\ntheprogram to read audit rules files ()\nlocated inlocation and compile them to create\nthe resulting form of theconfiguration file\nduring the daemon startup (default configuration). Alternatively, thedaemon can use theutility to read audit rules from theconfiguration file during daemon startup,\nand load them into the kernel. The expected behavior is configured via the\nappropriatedirective setting in theconfiguration file.\nTo instruct thedaemon to use theprogram\nto read audit rules (default configuration), use the following setting:in theconfiguration file.\nIn order to instruct thedaemon to use theutility to read audit rules, use the following setting:in theconfiguration file.\nRefer tosection of theconfiguration file for further details.Government networks often have substantial auditing\nrequirements andcan be configured to meet these\nrequirements.\nExamining some example audit records demonstrates how the Linux audit system\nsatisfies common requirements.\nThe following example from Red Hat Enterprise Linux 7 Documentation available atshows the substantial amount of information captured in a\ntwo typical \"raw\" audit messages, followed by a breakdown of the most important\nfields. In this example the message is SELinux-related and reports an AVC\ndenial (and the associated system call) that occurred when the Apache HTTP\nServer attempted to access thefile (labeled with\nthetype):",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_audit_installed",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_audit_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_audit_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R50)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000131",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000132",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000133",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000134",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000154",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000158",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001464",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001487",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001814",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001875",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001876",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001877",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001878",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001879",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001880",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001881",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001882",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001889",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001914",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CIP-004-6 R3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R6.5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-7(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-7(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-14",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-2(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "FAU_GEN.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.2.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000038-GPOS-00016",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000039-GPOS-00017",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000040-GPOS-00018",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000041-GPOS-00019",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00021",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000051-GPOS-00024",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000054-GPOS-00025",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000122-GPOS-00063",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000254-GPOS-00095",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000255-GPOS-00096",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000337-GPOS-00129",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000348-GPOS-00136",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000349-GPOS-00137",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000350-GPOS-00138",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000351-GPOS-00139",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000352-GPOS-00140",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000353-GPOS-00141",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000354-GPOS-00142",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000358-GPOS-00145",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000365-GPOS-00152",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000475-GPOS-00220",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_audit_installed",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R50)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000131",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000132",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000133",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000134",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000154",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000158",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001464",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001487",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001814",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001875",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001876",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001877",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001878",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001879",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001880",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001881",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001882",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001889",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001914",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CIP-004-6 R3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R6.5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-7(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-7(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-14",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-2(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.2.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000038-GPOS-00016",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000039-GPOS-00017",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000040-GPOS-00018",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000041-GPOS-00019",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00021",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000051-GPOS-00024",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000054-GPOS-00025",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000122-GPOS-00063",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000254-GPOS-00095",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000255-GPOS-00096",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000337-GPOS-00129",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000348-GPOS-00136",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000349-GPOS-00137",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000350-GPOS-00138",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000351-GPOS-00139",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000352-GPOS-00140",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000353-GPOS-00141",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000354-GPOS-00142",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000358-GPOS-00145",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000365-GPOS-00152",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000475-GPOS-00220",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure the audit Subsystem is Installed",
+ "id": "xccdf_org.ssgproject.content_rule_package_audit_installed",
+ "desc": "The audit package should be installed.",
+ "descriptions": [
+ {
+ "data": "The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure the audit Subsystem is Installed\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"The audit package should be installed.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R50)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000131\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000132\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000133\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000134\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000154\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000158\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001464\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001487\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001814\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001875\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001876\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001877\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001878\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001879\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001880\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001881\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001882\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001889\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001914\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CIP-004-6 R3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R6.5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-7(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-7(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-14\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-2(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.2.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000038-GPOS-00016\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000039-GPOS-00017\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000040-GPOS-00018\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000041-GPOS-00019\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00021\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000051-GPOS-00024\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000054-GPOS-00025\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000122-GPOS-00063\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000254-GPOS-00095\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000255-GPOS-00096\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000337-GPOS-00129\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000348-GPOS-00136\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000349-GPOS-00137\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000350-GPOS-00138\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000351-GPOS-00139\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000352-GPOS-00140\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000353-GPOS-00141\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000354-GPOS-00142\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000358-GPOS-00145\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000365-GPOS-00152\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000475-GPOS-00220\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nDEBIAN_FRONTEND=noninteractive apt-get install -y \\\"auditd\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"package_audit_installed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Ensure auditd is installed\\n package:\\n name: auditd\\n state: present\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-7(a)\\n - NIST-800-53-AU-12(2)\\n - NIST-800-53-AU-14\\n - NIST-800-53-AU-2(a)\\n - NIST-800-53-AU-7(1)\\n - NIST-800-53-AU-7(2)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.2.1\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - package_audit_installed\",\n \"id\": \"package_audit_installed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include install_auditd\\n\\nclass install_auditd {\\n package { 'auditd':\\n ensure => 'installed',\\n }\\n}\",\n \"id\": \"package_audit_installed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[[packages]]\\nname = \\\"auditd\\\"\\nversion = \\\"*\\\"\",\n \"id\": \"package_audit_installed\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_audit_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_audit_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_package_audit_installed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The audit package should be installed.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000126",
+ "CCI-000130",
+ "CCI-000131",
+ "CCI-000132",
+ "CCI-000133",
+ "CCI-000134",
+ "CCI-000135",
+ "CCI-000154",
+ "CCI-000158",
+ "CCI-000172",
+ "CCI-000366",
+ "CCI-001464",
+ "CCI-001487",
+ "CCI-001814",
+ "CCI-001875",
+ "CCI-001876",
+ "CCI-001877",
+ "CCI-002884",
+ "CCI-001878",
+ "CCI-001879",
+ "CCI-001880",
+ "CCI-001881",
+ "CCI-001882",
+ "CCI-001889",
+ "CCI-001914",
+ "CCI-000169"
+ ],
+ "nist": [
+ "AU-2 c",
+ "AU-3 a",
+ "AU-3 b",
+ "AU-3 c",
+ "AU-3 d",
+ "AU-3 e",
+ "AU-3 (1)",
+ "AU-6 (4)",
+ "AU-7 (1)",
+ "AU-12 c",
+ "CM-6 b",
+ "AU-14 (1)",
+ "AU-3 f",
+ "CM-5 (1)",
+ "AU-7 a",
+ "MA-4 (1) (a)",
+ "AU-7 b",
+ "AU-8 b",
+ "AU-12 (3)",
+ "AU-12 a",
+ "AC-2 g.",
+ "AU-3",
+ "AU-10",
+ "AU-2 d.",
+ "AU-12 c.",
+ "AC-6 (9)",
+ "CM-6 a.",
+ "SI-4 (23)"
+ ],
+ "severity": "medium",
+ "description": "Theservice is an essential userspace component of\nthe Linux Auditing System, as it is responsible for writing audit records to\ndisk.\n\nTheservice can be enabled with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_auditing",
+ "group_title": "System Accounting with auditd",
+ "group_description": "The audit service provides substantial capabilities\nfor recording system activities. By default, the service audits about\nSELinux AVC denials and certain types of security-relevant events\nsuch as system logins, account modifications, and authentication\nevents performed by programs such as sudo.\nUnder its default configuration,has modest disk space\nrequirements, and should not noticeably impact system performance.NOTE: The Linux Audit daemoncan be configured to use\ntheprogram to read audit rules files ()\nlocated inlocation and compile them to create\nthe resulting form of theconfiguration file\nduring the daemon startup (default configuration). Alternatively, thedaemon can use theutility to read audit rules from theconfiguration file during daemon startup,\nand load them into the kernel. The expected behavior is configured via the\nappropriatedirective setting in theconfiguration file.\nTo instruct thedaemon to use theprogram\nto read audit rules (default configuration), use the following setting:in theconfiguration file.\nIn order to instruct thedaemon to use theutility to read audit rules, use the following setting:in theconfiguration file.\nRefer tosection of theconfiguration file for further details.Government networks often have substantial auditing\nrequirements andcan be configured to meet these\nrequirements.\nExamining some example audit records demonstrates how the Linux audit system\nsatisfies common requirements.\nThe following example from Red Hat Enterprise Linux 7 Documentation available atshows the substantial amount of information captured in a\ntwo typical \"raw\" audit messages, followed by a breakdown of the most important\nfields. In this example the message is SELinux-related and reports an AVC\ndenial (and the associated system call) that occurred when the Apache HTTP\nServer attempted to access thefile (labeled with\nthetype):",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_auditd_enabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_auditd_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_auditd_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "19",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.4.1.1",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO12.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI08.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS02.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.3.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.3.2",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.3.6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000126",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000130",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000131",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000132",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000133",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000134",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000135",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000154",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000158",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000172",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001464",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001487",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001814",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001875",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001876",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001877",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002884",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001878",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001879",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001880",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001881",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001882",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001889",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001914",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000169",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(a)(2)(iv)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.10",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.16.1.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-004-6 R3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R6.5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-2(g)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-3",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-10",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-2(d)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-12(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-14(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(9)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SI-4(23)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.AE-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "RS.AN-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000062-GPOS-00031",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000037-GPOS-00015",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000038-GPOS-00016",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000039-GPOS-00017",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000040-GPOS-00018",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000041-GPOS-00019",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000042-GPOS-00021",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000051-GPOS-00024",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000054-GPOS-00025",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000122-GPOS-00063",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000254-GPOS-00095",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000255-GPOS-00096",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000337-GPOS-00129",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000348-GPOS-00136",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000349-GPOS-00137",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000350-GPOS-00138",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000351-GPOS-00139",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000352-GPOS-00140",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000353-GPOS-00141",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000354-GPOS-00142",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000358-GPOS-00145",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000365-GPOS-00152",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000392-GPOS-00172",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000475-GPOS-00220",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000037-VMM-000150",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000063-VMM-000310",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000038-VMM-000160",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000039-VMM-000170",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000040-VMM-000180",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000041-VMM-000190",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_auditd_enabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "19",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.4.1.1",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO12.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI08.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS02.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.3.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.3.2",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.3.6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000126",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000130",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000131",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000132",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000133",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000134",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000135",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000154",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000158",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000172",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001464",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001487",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001814",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001875",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001876",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001877",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002884",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001878",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001879",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001880",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001881",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001882",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001889",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001914",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000169",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(a)(2)(iv)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.10",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.16.1.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-004-6 R3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R6.5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-2(g)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-3",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-10",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-2(d)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-12(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-14(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(9)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SI-4(23)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.AE-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "RS.AN-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000062-GPOS-00031",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000037-GPOS-00015",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000038-GPOS-00016",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000039-GPOS-00017",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000040-GPOS-00018",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000041-GPOS-00019",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000042-GPOS-00021",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000051-GPOS-00024",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000054-GPOS-00025",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000122-GPOS-00063",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000254-GPOS-00095",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000255-GPOS-00096",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000337-GPOS-00129",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000348-GPOS-00136",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000349-GPOS-00137",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000350-GPOS-00138",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000351-GPOS-00139",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000352-GPOS-00140",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000353-GPOS-00141",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000354-GPOS-00142",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000358-GPOS-00145",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000365-GPOS-00152",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000392-GPOS-00172",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000475-GPOS-00220",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000037-VMM-000150"
+ },
+ {
+ "ref": "SRG-OS-000063-VMM-000310"
+ },
+ {
+ "ref": "SRG-OS-000038-VMM-000160"
+ },
+ {
+ "ref": "SRG-OS-000039-VMM-000170"
+ },
+ {
+ "ref": "SRG-OS-000040-VMM-000180"
+ },
+ {
+ "ref": "SRG-OS-000041-VMM-000190"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable auditd Service",
+ "id": "xccdf_org.ssgproject.content_rule_service_auditd_enabled",
+ "desc": "Theservice is an essential userspace component of\nthe Linux Auditing System, as it is responsible for writing audit records to\ndisk.\n\nTheservice can be enabled with the following command:",
+ "descriptions": [
+ {
+ "data": "Without establishing what type of events occurred, it would be difficult\nto establish, correlate, and investigate the events leading up to an outage or attack.\nEnsuring theservice is active ensures audit records\ngenerated by the kernel are appropriately recorded.Additionally, a properly configured audit subsystem ensures that actions of\nindividual system users can be uniquely traced to those users so they\ncan be held accountable for their actions.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable auditd Service\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"auditd\",\n \"auditd\"\n ],\n \"pre\": \"$ sudo systemctl enable auditd.service\",\n \"text\": \"Theservice is an essential userspace component of\\nthe Linux Auditing System, as it is responsible for writing audit records to\\ndisk.\\n\\nTheservice can be enabled with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"19\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.4.1.1\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO12.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI08.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS02.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.3.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.3.2\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.3.6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000126\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000130\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000131\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000132\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000133\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000134\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000135\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000154\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000158\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000172\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001464\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001487\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001814\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001875\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001876\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001877\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002884\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001878\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001879\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001880\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001881\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001882\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001889\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001914\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000169\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(a)(2)(iv)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.10\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.16.1.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-004-6 R3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R6.5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-2(g)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-3\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-10\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-2(d)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-12(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-14(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(9)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SI-4(23)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.AE-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"RS.AN-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000062-GPOS-00031\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000037-GPOS-00015\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000038-GPOS-00016\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000039-GPOS-00017\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000040-GPOS-00018\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000041-GPOS-00019\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000042-GPOS-00021\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000051-GPOS-00024\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000054-GPOS-00025\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000122-GPOS-00063\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000254-GPOS-00095\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000255-GPOS-00096\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000337-GPOS-00129\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000348-GPOS-00136\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000349-GPOS-00137\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000350-GPOS-00138\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000351-GPOS-00139\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000352-GPOS-00140\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000353-GPOS-00141\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000354-GPOS-00142\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000358-GPOS-00145\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000365-GPOS-00152\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000392-GPOS-00172\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000475-GPOS-00220\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000037-VMM-000150\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000063-VMM-000310\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000038-VMM-000160\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000039-VMM-000170\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000040-VMM-000180\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000041-VMM-000190\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"code\": \"auditd\",\n \"br\": [\n \"\",\n \"\"\n ],\n \"text\": \"Without establishing what type of events occurred, it would be difficult\\nto establish, correlate, and investigate the events leading up to an outage or attack.\\nEnsuring theservice is active ensures audit records\\ngenerated by the kernel are appropriately recorded.Additionally, a properly configured audit subsystem ensures that actions of\\nindividual system users can be uniquely traced to those users so they\\ncan be held accountable for their actions.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#package_audit\"\n },\n \"requires\": {\n \"idref\": \"xccdf_org.ssgproject.content_rule_package_audit_installed\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'auditd' 2>/dev/null | grep -q installed; }; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" unmask 'auditd.service'\\n\\\"$SYSTEMCTL_EXEC\\\" start 'auditd.service'\\n\\\"$SYSTEMCTL_EXEC\\\" enable 'auditd.service'\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_auditd_enabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.3.1\\n - NIST-800-171-3.3.2\\n - NIST-800-171-3.3.6\\n - NIST-800-53-AC-2(g)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-10\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-14(1)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-AU-3\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-SI-4(23)\\n - PCI-DSS-Req-10.1\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_auditd_enabled\\n\\n- name: Enable service auditd\\n block:\\n\\n - name: Gather the package facts\\n package_facts:\\n manager: auto\\n\\n - name: Enable service auditd\\n service:\\n name: auditd\\n enabled: 'yes'\\n state: started\\n masked: 'no'\\n when:\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - '\\\"auditd\\\" in ansible_facts.packages'\\n tags:\\n - CJIS-5.4.1.1\\n - NIST-800-171-3.3.1\\n - NIST-800-171-3.3.2\\n - NIST-800-171-3.3.6\\n - NIST-800-53-AC-2(g)\\n - NIST-800-53-AC-6(9)\\n - NIST-800-53-AU-10\\n - NIST-800-53-AU-12(c)\\n - NIST-800-53-AU-14(1)\\n - NIST-800-53-AU-2(d)\\n - NIST-800-53-AU-3\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-SI-4(23)\\n - PCI-DSS-Req-10.1\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_auditd_enabled\",\n \"id\": \"service_auditd_enabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include enable_auditd\\n\\nclass enable_auditd {\\n service {'auditd':\\n enable => true,\\n ensure => 'running',\\n }\\n}\",\n \"id\": \"service_auditd_enabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[customizations.services]\\nenabled = [\\\"auditd\\\"]\",\n \"id\": \"service_auditd_enabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_auditd_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_auditd_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_service_auditd_enabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice is an essential userspace component of\nthe Linux Auditing System, as it is responsible for writing audit records to\ndisk.\n\nTheservice can be enabled with the following command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Ubuntu 18.04 systems support an \"recovery boot\" option that can be used\nto prevent services from being started. Theconfiguration option inshould be set toto disable the generation of recovery mode menu entries. It is\nalso required to change the runtime configuration, run:",
+ "group_id": "xccdf_org.ssgproject.content_group_bootloader-grub2",
+ "group_title": "GRUB2 bootloader configuration",
+ "group_description": "During the boot process, the boot loader is\nresponsible for starting the execution of the kernel and passing\noptions to it. The boot loader allows for the selection of\ndifferent kernels - possibly on different partitions or media.\nThe default Ubuntu 18.04 boot loader for x86 systems is called GRUB2.\nOptions it can pass to the kernel include, which\nprovides root access without any authentication, and the ability to\ndisable SELinux. To prevent local users from modifying the boot\nparameters and endangering security, protect the boot loader configuration\nwith a password and ensure its configuration file's permissions\nare set properly.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_grub2_disable_recovery",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_disable_recovery:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "FIA_UAU.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_grub2_disable_recovery",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm",
+ "ref": [
+ {
+ "text": "FIA_UAU.1"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Disable Recovery Booting",
+ "id": "xccdf_org.ssgproject.content_rule_grub2_disable_recovery",
+ "desc": "Ubuntu 18.04 systems support an \"recovery boot\" option that can be used\nto prevent services from being started. Theconfiguration option inshould be set toto disable the generation of recovery mode menu entries. It is\nalso required to change the runtime configuration, run:",
+ "descriptions": [
+ {
+ "data": "Using recovery boot, the console user could disable auditing, firewalls,\nor other services, weakening system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Recovery Booting\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"GRUB_DISABLE_RECOVERY\",\n \"/etc/default/grub\",\n \"true\"\n ],\n \"pre\": \"$ sudo update-grub\",\n \"text\": \"Ubuntu 18.04 systems support an \\\"recovery boot\\\" option that can be used\\nto prevent services from being started. Theconfiguration option inshould be set toto disable the generation of recovery mode menu entries. It is\\nalso required to change the runtime configuration, run:\",\n \"lang\": \"en-US\"\n },\n \"reference\": {\n \"text\": \"FIA_UAU.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n \"rationale\": {\n \"text\": \"Using recovery boot, the console user could disable auditing, firewalls,\\nor other services, weakening system security.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#grub2\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'grub2-common' 2>/dev/null | grep -q installed; then\\n\\nif grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then\\n sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' \\\"/etc/default/grub\\\"\\nelse\\n echo \\\"GRUB_DISABLE_RECOVERY=true\\\" >> '/etc/default/grub'\\nfi\\n\\nupdate-grub\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"grub2_disable_recovery\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - grub2_disable_recovery\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Verify GRUB_DISABLE_RECOVERY=true\\n lineinfile:\\n path: /etc/default/grub\\n regexp: ^GRUB_DISABLE_RECOVERY=.*\\n line: GRUB_DISABLE_RECOVERY=true\\n state: present\\n when: '\\\"grub2-common\\\" in ansible_facts.packages'\\n tags:\\n - grub2_disable_recovery\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\\n\\n- name: Update grub defaults and the bootloader menu\\n command: /sbin/grubby --update-kernel=ALL\\n when: '\\\"grub2-common\\\" in ansible_facts.packages'\\n tags:\\n - grub2_disable_recovery\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - reboot_required\\n - restrict_strategy\",\n \"id\": \"grub2_disable_recovery\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_disable_recovery:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_grub2_disable_recovery\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Ubuntu 18.04 systems support an \"recovery boot\" option that can be used\nto prevent services from being started. Theconfiguration option inshould be set toto disable the generation of recovery mode menu entries. It is\nalso required to change the runtime configuration, run:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "unknown",
+ "description": "On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some\n of the system critical units such as the memory.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "group_id": "xccdf_org.ssgproject.content_group_bootloader-grub2",
+ "group_title": "GRUB2 bootloader configuration",
+ "group_description": "During the boot process, the boot loader is\nresponsible for starting the execution of the kernel and passing\noptions to it. The boot loader allows for the selection of\ndifferent kernels - possibly on different partitions or media.\nThe default Ubuntu 18.04 boot loader for x86 systems is called GRUB2.\nOptions it can pass to the kernel include, which\nprovides root access without any authentication, and the ability to\ndisable SELinux. To prevent local users from modifying the boot\nparameters and endangering security, protect the boot loader configuration\nwith a password and ensure its configuration file's permissions\nare set properly.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_enable_iommu_force:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_enable_iommu_force_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "BP28(R11)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/",
+ "ref": [
+ {
+ "text": "BP28(R11)"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "IOMMU configuration directive",
+ "id": "xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force",
+ "desc": "On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some\n of the system critical units such as the memory.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "descriptions": [
+ {
+ "data": "On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by\n hardware devices.",
+ "label": "rationale"
+ },
+ {
+ "data": "Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities. Proper function and stability should be assessed before applying remediation to production systems.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"IOMMU configuration directive\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"iommu=force\",\n \"iommu=force\",\n \"/etc/default/grub\"\n ],\n \"pre\": [\n \"GRUB_CMDLINE_LINUX=\\\"... iommu=force ...\\\"\",\n \"# update-grub\"\n ],\n \"text\": \"On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some\\n of the system critical units such as the memory.\\nTo ensure thatis added as a kernel command line\\nargument to newly installed kernels, addto the\\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities. Proper function and stability should be assessed before applying remediation to production systems.\",\n \"lang\": \"en-US\",\n \"category\": \"functionality\"\n },\n \"reference\": {\n \"text\": \"BP28(R11)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n \"rationale\": {\n \"text\": \"On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by\\n hardware devices.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\\n\\n# Correct the form of default kernel command line in GRUB\\nif grep -q '^GRUB_CMDLINE_LINUX=.*iommu=.*\\\"' '/etc/default/grub' ; then\\n # modify the GRUB command-line if an iommu= arg already exists\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)iommu=[^[:space:]]\\\\+\\\\(.*\\\\\\\"\\\\)/\\\\1iommu=force\\\\2/\\\" '/etc/default/grub'\\nelse\\n # no iommu=arg is present, append it\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)\\\\\\\"/\\\\1 iommu=force\\\\\\\"/\\\" '/etc/default/grub'\\nfi\\nupdate-grub\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"grub2_enable_iommu_force\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"[customizations.kernel]\\nappend = \\\"iommu=force\\\"\",\n \"id\": \"grub2_enable_iommu_force\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_enable_iommu_force:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_enable_iommu_force_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some\n of the system critical units such as the memory.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "high",
+ "description": "L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged\nspeculative access to data which is available in the Level 1 Data Cache when\nthe page table entry isn't present.\n\nSelect the appropriate mitigation by adding the argumentto the default\nGRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:Since Linux Kernel 4.19 you can check the L1TF vulnerability state with the\nfollowing command:",
+ "group_id": "xccdf_org.ssgproject.content_group_bootloader-grub2",
+ "group_title": "GRUB2 bootloader configuration",
+ "group_description": "During the boot process, the boot loader is\nresponsible for starting the execution of the kernel and passing\noptions to it. The boot loader allows for the selection of\ndifferent kernels - possibly on different partitions or media.\nThe default Ubuntu 18.04 boot loader for x86 systems is called GRUB2.\nOptions it can pass to the kernel include, which\nprovides root access without any authentication, and the ability to\ndisable SELinux. To prevent local users from modifying the boot\nparameters and endangering security, protect the boot loader configuration\nwith a password and ensure its configuration file's permissions\nare set properly.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_grub2_l1tf_argument",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_l1tf_options:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_l1tf_options\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_l1tf_argument:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_l1tf_argument_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_grub2_l1tf_argument",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "L1TF vulnerability mitigation",
+ "lang": "en-US"
+ },
+ "description": "Defines the L1TF vulneratility mitigations to employ.",
+ "value": [
+ "flush",
+ {
+ "text": "full",
+ "selector": "full"
+ },
+ {
+ "text": "full,force",
+ "selector": "full_force"
+ },
+ {
+ "text": "flush",
+ "selector": "flush"
+ },
+ {
+ "text": "flush,nosmt",
+ "selector": "flush_nosmt"
+ },
+ {
+ "text": "flush,nowarn",
+ "selector": "flush_nowarn"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_l1tf_options",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Configure L1 Terminal Fault mitigations",
+ "id": "xccdf_org.ssgproject.content_rule_grub2_l1tf_argument",
+ "desc": "L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged\nspeculative access to data which is available in the Level 1 Data Cache when\nthe page table entry isn't present.\n\nSelect the appropriate mitigation by adding the argumentto the default\nGRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:Since Linux Kernel 4.19 you can check the L1TF vulnerability state with the\nfollowing command:",
+ "descriptions": [
+ {
+ "data": "The L1TF vulnerability allows an attacker to bypass memory access security controls imposed\nby the system or hypervisor. The L1TF vulnerability allows read access to any physical memory\nlocation that is cached in the L1 Data Cache.",
+ "label": "rationale"
+ },
+ {
+ "data": "Enabling L1TF mitigations may impact performance of the system.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Configure L1 Terminal Fault mitigations\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_l1tf_options\",\n \"use\": \"legacy\"\n },\n \"text\": \"l1tf=\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_l1tf_options\",\n \"use\": \"legacy\"\n },\n \"text\": \"l1tf=\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_l1tf_options\",\n \"use\": \"legacy\"\n },\n \"text\": \"l1tf=\"\n },\n \"/etc/default/grub\",\n \"cat /sys/devices/system/cpu/vulnerabilities/l1tf\"\n ],\n \"pre\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_l1tf_options\",\n \"use\": \"legacy\"\n },\n \"text\": \"GRUB_CMDLINE_LINUX=\\\"... l1tf=...\\\"\"\n },\n \"# update-grub\"\n ],\n \"text\": \"L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged\\nspeculative access to data which is available in the Level 1 Data Cache when\\nthe page table entry isn't present.\\n\\nSelect the appropriate mitigation by adding the argumentto the default\\nGRUB 2 command line for the Linux operating system.\\nTo ensure thatis added as a kernel command line\\nargument to newly installed kernels, addto the\\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:Since Linux Kernel 4.19 you can check the L1TF vulnerability state with the\\nfollowing command:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Enabling L1TF mitigations may impact performance of the system.\",\n \"lang\": \"en-US\",\n \"category\": \"performance\"\n },\n \"rationale\": {\n \"text\": \"The L1TF vulnerability allows an attacker to bypass memory access security controls imposed\\nby the system or hypervisor. The L1TF vulnerability allows read access to any physical memory\\nlocation that is cached in the L1 Data Cache.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_l1tf_options\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\\n\\nvar_l1tf_options=''\\n\\n\\n\\n\\n# Correct the form of default kernel command line in GRUB\\nif grep -q '^GRUB_CMDLINE_LINUX=.*l1tf=.*\\\"' '/etc/default/grub' ; then\\n # modify the GRUB command-line if an l1tf= arg already exists\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)l1tf=[^[:space:]]\\\\+\\\\(.*\\\\\\\"\\\\)/\\\\1l1tf=$var_l1tf_options\\\\2/\\\" '/etc/default/grub'\\nelse\\n # no l1tf=arg is present, append it\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)\\\\\\\"/\\\\1 l1tf=$var_l1tf_options\\\\\\\"/\\\" '/etc/default/grub'\\nfi\\nupdate-grub\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"grub2_l1tf_argument\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_l1tf_options\",\n \"use\": \"legacy\"\n },\n \"text\": \"[customizations.kernel]\\nappend = \\\"l1tf=\\\"\",\n \"id\": \"grub2_l1tf_argument\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_l1tf_options:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_l1tf_options\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_l1tf_argument:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_l1tf_argument_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_grub2_l1tf_argument\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged\nspeculative access to data which is available in the Level 1 Data Cache when\nthe page table entry isn't present.\n\nSelect the appropriate mitigation by adding the argumentto the default\nGRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:Since Linux Kernel 4.19 you can check the L1TF vulnerability state with the\nfollowing command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "A Machine Check Exception is an error generated by the CPU itdetects an error\nin itself, memory or I/O devices.\nThese errors may be corrected and generate a check log entry, if an error\ncannot be corrected the kernel may panic or SIGBUS.\n\nTo force the kernel to panic on any uncorrected error reported by Machine Check\nset the MCE tolerance to zero by addingto the default GRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "group_id": "xccdf_org.ssgproject.content_group_bootloader-grub2",
+ "group_title": "GRUB2 bootloader configuration",
+ "group_description": "During the boot process, the boot loader is\nresponsible for starting the execution of the kernel and passing\noptions to it. The boot loader allows for the selection of\ndifferent kernels - possibly on different partitions or media.\nThe default Ubuntu 18.04 boot loader for x86 systems is called GRUB2.\nOptions it can pass to the kernel include, which\nprovides root access without any authentication, and the ability to\ndisable SELinux. To prevent local users from modifying the boot\nparameters and endangering security, protect the boot loader configuration\nwith a password and ensure its configuration file's permissions\nare set properly.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_grub2_mce_argument",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_mce_argument:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_mce_argument_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_grub2_mce_argument",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Force kernel panic on uncorrected MCEs",
+ "id": "xccdf_org.ssgproject.content_rule_grub2_mce_argument",
+ "desc": "A Machine Check Exception is an error generated by the CPU itdetects an error\nin itself, memory or I/O devices.\nThese errors may be corrected and generate a check log entry, if an error\ncannot be corrected the kernel may panic or SIGBUS.\n\nTo force the kernel to panic on any uncorrected error reported by Machine Check\nset the MCE tolerance to zero by addingto the default GRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "descriptions": [
+ {
+ "data": "Allowing uncorrected errors to result on a SIGBUS may allow an attacker to continue\ntrying to exploit a vulnerability such as Rowhammer.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Force kernel panic on uncorrected MCEs\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"mce=0\",\n \"mce=0\",\n \"mce=0\",\n \"/etc/default/grub\"\n ],\n \"pre\": [\n \"GRUB_CMDLINE_LINUX=\\\"... mce=0 ...\\\"\",\n \"# update-grub\"\n ],\n \"text\": \"A Machine Check Exception is an error generated by the CPU itdetects an error\\nin itself, memory or I/O devices.\\nThese errors may be corrected and generate a check log entry, if an error\\ncannot be corrected the kernel may panic or SIGBUS.\\n\\nTo force the kernel to panic on any uncorrected error reported by Machine Check\\nset the MCE tolerance to zero by addingto the default GRUB 2 command line for the Linux operating system.\\nTo ensure thatis added as a kernel command line\\nargument to newly installed kernels, addto the\\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"Allowing uncorrected errors to result on a SIGBUS may allow an attacker to continue\\ntrying to exploit a vulnerability such as Rowhammer.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\\n\\n# Correct the form of default kernel command line in GRUB\\nif grep -q '^GRUB_CMDLINE_LINUX=.*mce=.*\\\"' '/etc/default/grub' ; then\\n # modify the GRUB command-line if an mce= arg already exists\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)mce=[^[:space:]]\\\\+\\\\(.*\\\\\\\"\\\\)/\\\\1mce=0\\\\2/\\\" '/etc/default/grub'\\nelse\\n # no mce=arg is present, append it\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)\\\\\\\"/\\\\1 mce=0\\\\\\\"/\\\" '/etc/default/grub'\\nfi\\nupdate-grub\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"grub2_mce_argument\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"[customizations.kernel]\\nappend = \\\"mce=0\\\"\",\n \"id\": \"grub2_mce_argument\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_mce_argument:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_mce_argument_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_grub2_mce_argument\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "A Machine Check Exception is an error generated by the CPU itdetects an error\nin itself, memory or I/O devices.\nThese errors may be corrected and generate a check log entry, if an error\ncannot be corrected the kernel may panic or SIGBUS.\n\nTo force the kernel to panic on any uncorrected error reported by Machine Check\nset the MCE tolerance to zero by addingto the default GRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into\nmemory pages in the user space, it is enabled by default since Linux kernel 3.7.\nBut it could be disabled through kernel boot parameters.\n\nEnsure that Supervisor Mode Access Prevention (SMAP) is not disabled by\ntheboot paramenter option.\n\nCheck that the linewithindoesn't contain the argument.\nRun the following command to update command line for already installed kernels:",
+ "group_id": "xccdf_org.ssgproject.content_group_bootloader-grub2",
+ "group_title": "GRUB2 bootloader configuration",
+ "group_description": "During the boot process, the boot loader is\nresponsible for starting the execution of the kernel and passing\noptions to it. The boot loader allows for the selection of\ndifferent kernels - possibly on different partitions or media.\nThe default Ubuntu 18.04 boot loader for x86 systems is called GRUB2.\nOptions it can pass to the kernel include, which\nprovides root access without any authentication, and the ability to\ndisable SELinux. To prevent local users from modifying the boot\nparameters and endangering security, protect the boot loader configuration\nwith a password and ensure its configuration file's permissions\nare set properly.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_nosmap_argument_absent:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_nosmap_argument_absent_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "grub2_nosmap_argument_absent",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Ensure SMAP is not disabled during boot",
+ "id": "xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent",
+ "desc": "The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into\nmemory pages in the user space, it is enabled by default since Linux kernel 3.7.\nBut it could be disabled through kernel boot parameters.\n\nEnsure that Supervisor Mode Access Prevention (SMAP) is not disabled by\ntheboot paramenter option.\n\nCheck that the linewithindoesn't contain the argument.\nRun the following command to update command line for already installed kernels:",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\n\n# Correct the form of default kernel command line in GRUB\nif grep -q '^GRUB_CMDLINE_LINUX=.*nosmap=.*\"' '/etc/default/grub' ; then\n sed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)nosmap=?[^[:space:]]*\\(.*\"\\)/\\1 \\2/' '/etc/default/grub'\nfi\nupdate-grub\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and\nmanipulation of data in the user space.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure SMAP is not disabled during boot\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"nosmap\",\n \"/etc/default/grub\",\n \"nosmap\"\n ],\n \"pre\": [\n \"GRUB_CMDLINE_LINUX=\\\"...\\\"\",\n \"# grubby --update-kernel=ALL --remove-args=\\\"nosmap\\\"\"\n ],\n \"text\": \"The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into\\nmemory pages in the user space, it is enabled by default since Linux kernel 3.7.\\nBut it could be disabled through kernel boot parameters.\\n\\nEnsure that Supervisor Mode Access Prevention (SMAP) is not disabled by\\ntheboot paramenter option.\\n\\nCheck that the linewithindoesn't contain the argument.\\nRun the following command to update command line for already installed kernels:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and\\nmanipulation of data in the user space.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\\n\\n# Correct the form of default kernel command line in GRUB\\nif grep -q '^GRUB_CMDLINE_LINUX=.*nosmap=.*\\\"' '/etc/default/grub' ; then\\n sed -i 's/\\\\(^GRUB_CMDLINE_LINUX=\\\".*\\\\)nosmap=?[^[:space:]]*\\\\(.*\\\"\\\\)/\\\\1 \\\\2/' '/etc/default/grub'\\nfi\\nupdate-grub\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"grub2_nosmap_argument_absent\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_nosmap_argument_absent:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_nosmap_argument_absent_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into\nmemory pages in the user space, it is enabled by default since Linux kernel 3.7.\nBut it could be disabled through kernel boot parameters.\n\nEnsure that Supervisor Mode Access Prevention (SMAP) is not disabled by\ntheboot paramenter option.\n\nCheck that the linewithindoesn't contain the argument.\nRun the following command to update command line for already installed kernels:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "The SMEP is used to prevent the supervisor mode from executing user space code,\nit is enabled by default since Linux kernel 3.0. But it could be disabled through\nkernel boot parameters.\n\nEnsure that Supervisor Mode Execution Prevention (SMEP) is not disabled by\ntheboot paramenter option.\n\nCheck that the linewithindoesn't contain the argument.\nRun the following command to update command line for already installed kernels:",
+ "group_id": "xccdf_org.ssgproject.content_group_bootloader-grub2",
+ "group_title": "GRUB2 bootloader configuration",
+ "group_description": "During the boot process, the boot loader is\nresponsible for starting the execution of the kernel and passing\noptions to it. The boot loader allows for the selection of\ndifferent kernels - possibly on different partitions or media.\nThe default Ubuntu 18.04 boot loader for x86 systems is called GRUB2.\nOptions it can pass to the kernel include, which\nprovides root access without any authentication, and the ability to\ndisable SELinux. To prevent local users from modifying the boot\nparameters and endangering security, protect the boot loader configuration\nwith a password and ensure its configuration file's permissions\nare set properly.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_nosmep_argument_absent:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "grub2_nosmep_argument_absent",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Ensure SMEP is not disabled during boot",
+ "id": "xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent",
+ "desc": "The SMEP is used to prevent the supervisor mode from executing user space code,\nit is enabled by default since Linux kernel 3.0. But it could be disabled through\nkernel boot parameters.\n\nEnsure that Supervisor Mode Execution Prevention (SMEP) is not disabled by\ntheboot paramenter option.\n\nCheck that the linewithindoesn't contain the argument.\nRun the following command to update command line for already installed kernels:",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\n\n# Correct the form of default kernel command line in GRUB\nif grep -q '^GRUB_CMDLINE_LINUX=.*nosmep=.*\"' '/etc/default/grub' ; then\n sed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)nosmep=?[^[:space:]]*\\(.*\"\\)/\\1 \\2/' '/etc/default/grub'\nfi\nupdate-grub\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows\nthe kernel to unintentionally execute code in less privileged memory space.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure SMEP is not disabled during boot\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"nosmep\",\n \"/etc/default/grub\",\n \"nosmep\"\n ],\n \"pre\": [\n \"GRUB_CMDLINE_LINUX=\\\"...\\\"\",\n \"# grubby --update-kernel=ALL --remove-args=\\\"nosmep\\\"\"\n ],\n \"text\": \"The SMEP is used to prevent the supervisor mode from executing user space code,\\nit is enabled by default since Linux kernel 3.0. But it could be disabled through\\nkernel boot parameters.\\n\\nEnsure that Supervisor Mode Execution Prevention (SMEP) is not disabled by\\ntheboot paramenter option.\\n\\nCheck that the linewithindoesn't contain the argument.\\nRun the following command to update command line for already installed kernels:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows\\nthe kernel to unintentionally execute code in less privileged memory space.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\\n\\n# Correct the form of default kernel command line in GRUB\\nif grep -q '^GRUB_CMDLINE_LINUX=.*nosmep=.*\\\"' '/etc/default/grub' ; then\\n sed -i 's/\\\\(^GRUB_CMDLINE_LINUX=\\\".*\\\\)nosmep=?[^[:space:]]*\\\\(.*\\\"\\\\)/\\\\1 \\\\2/' '/etc/default/grub'\\nfi\\nupdate-grub\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"grub2_nosmep_argument_absent\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_nosmep_argument_absent:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The SMEP is used to prevent the supervisor mode from executing user space code,\nit is enabled by default since Linux kernel 3.0. But it could be disabled through\nkernel boot parameters.\n\nEnsure that Supervisor Mode Execution Prevention (SMEP) is not disabled by\ntheboot paramenter option.\n\nCheck that the linewithindoesn't contain the argument.\nRun the following command to update command line for already installed kernels:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "The TPM security chip that is available in most modern systems has a hardware RNG.\nIt is also used to feed the entropy pool, but generally not credited entropy.\n\nUsein the kernel command line to set the trust\nlevel on the hardware generators. The trust level defines the amount of entropy to credit.\nA value oftells the system not to trust the hardware random number generators\navailable, and doesn't credit any entropy to the pool.\nA value ofassigns full confidence in the generators, and credits all the\nentropy it provides to the pool.\n\nNote that the value ofis global, affecting the trust\non all hardware random number generators.\n\nSelect the appropriate confidence by adding the argumentto the default\nGRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "group_id": "xccdf_org.ssgproject.content_group_bootloader-grub2",
+ "group_title": "GRUB2 bootloader configuration",
+ "group_description": "During the boot process, the boot loader is\nresponsible for starting the execution of the kernel and passing\noptions to it. The boot loader allows for the selection of\ndifferent kernels - possibly on different partitions or media.\nThe default Ubuntu 18.04 boot loader for x86 systems is called GRUB2.\nOptions it can pass to the kernel include, which\nprovides root access without any authentication, and the ability to\ndisable SELinux. To prevent local users from modifying the boot\nparameters and endangering security, protect the boot loader configuration\nwith a password and ensure its configuration file's permissions\nare set properly.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_rng_core_default_quality:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_rng_core_default_quality\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_rng_core_default_quality_argument:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_rng_core_default_quality_argument_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Confidence level on Hardware Random Number Generator",
+ "lang": "en-US"
+ },
+ "description": "Defines the level of trust on the hardware random number generators available in the\nsystem and the percentage of entropy to credit.",
+ "value": [
+ "500",
+ {
+ "text": "500",
+ "selector": "500"
+ },
+ {
+ "text": "512",
+ "selector": "512"
+ },
+ {
+ "text": "1000",
+ "selector": "1000"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_rng_core_default_quality",
+ "type": "string",
+ "interactive": "true"
+ }
+ ]
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Configure the confidence in TPM for entropy",
+ "id": "xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument",
+ "desc": "The TPM security chip that is available in most modern systems has a hardware RNG.\nIt is also used to feed the entropy pool, but generally not credited entropy.\n\nUsein the kernel command line to set the trust\nlevel on the hardware generators. The trust level defines the amount of entropy to credit.\nA value oftells the system not to trust the hardware random number generators\navailable, and doesn't credit any entropy to the pool.\nA value ofassigns full confidence in the generators, and credits all the\nentropy it provides to the pool.\n\nNote that the value ofis global, affecting the trust\non all hardware random number generators.\n\nSelect the appropriate confidence by adding the argumentto the default\nGRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "descriptions": [
+ {
+ "data": "A system may struggle to initialize its entropy pool and end up starving. Crediting entropy\nfrom the hardware number generators available in the system helps fill up the entropy pool.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Configure the confidence in TPM for entropy\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"rng_core.default_quality\",\n \"0\",\n \"1000\",\n \"rng_core.default_quality\",\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rng_core_default_quality\",\n \"use\": \"legacy\"\n },\n \"text\": \"rng_core.default_quality=\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rng_core_default_quality\",\n \"use\": \"legacy\"\n },\n \"text\": \"rng_core.default_quality=\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rng_core_default_quality\",\n \"use\": \"legacy\"\n },\n \"text\": \"rng_core.default_quality=\"\n },\n \"/etc/default/grub\"\n ],\n \"pre\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rng_core_default_quality\",\n \"use\": \"legacy\"\n },\n \"text\": \"GRUB_CMDLINE_LINUX=\\\"... rng_core.default_quality=...\\\"\"\n },\n \"# update-grub\"\n ],\n \"text\": \"The TPM security chip that is available in most modern systems has a hardware RNG.\\nIt is also used to feed the entropy pool, but generally not credited entropy.\\n\\nUsein the kernel command line to set the trust\\nlevel on the hardware generators. The trust level defines the amount of entropy to credit.\\nA value oftells the system not to trust the hardware random number generators\\navailable, and doesn't credit any entropy to the pool.\\nA value ofassigns full confidence in the generators, and credits all the\\nentropy it provides to the pool.\\n\\nNote that the value ofis global, affecting the trust\\non all hardware random number generators.\\n\\nSelect the appropriate confidence by adding the argumentto the default\\nGRUB 2 command line for the Linux operating system.\\nTo ensure thatis added as a kernel command line\\nargument to newly installed kernels, addto the\\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"A system may struggle to initialize its entropy pool and end up starving. Crediting entropy\\nfrom the hardware number generators available in the system helps fill up the entropy pool.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rng_core_default_quality\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\\n\\nvar_rng_core_default_quality=''\\n\\n\\n\\n\\n# Correct the form of default kernel command line in GRUB\\nif grep -q '^GRUB_CMDLINE_LINUX=.*rng_core.default_quality=.*\\\"' '/etc/default/grub' ; then\\n # modify the GRUB command-line if an rng_core.default_quality= arg already exists\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)rng_core.default_quality=[^[:space:]]\\\\+\\\\(.*\\\\\\\"\\\\)/\\\\1rng_core.default_quality=$var_rng_core_default_quality\\\\2/\\\" '/etc/default/grub'\\nelse\\n # no rng_core.default_quality=arg is present, append it\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)\\\\\\\"/\\\\1 rng_core.default_quality=$var_rng_core_default_quality\\\\\\\"/\\\" '/etc/default/grub'\\nfi\\nupdate-grub\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"grub2_rng_core_default_quality_argument\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rng_core_default_quality\",\n \"use\": \"legacy\"\n },\n \"text\": \"[customizations.kernel]\\nappend = \\\"rng_core.default_quality=\\\"\",\n \"id\": \"grub2_rng_core_default_quality_argument\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_rng_core_default_quality:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_rng_core_default_quality\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_rng_core_default_quality_argument:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_rng_core_default_quality_argument_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The TPM security chip that is available in most modern systems has a hardware RNG.\nIt is also used to feed the entropy pool, but generally not credited entropy.\n\nUsein the kernel command line to set the trust\nlevel on the hardware generators. The trust level defines the amount of entropy to credit.\nA value oftells the system not to trust the hardware random number generators\navailable, and doesn't credit any entropy to the pool.\nA value ofassigns full confidence in the generators, and credits all the\nentropy it provides to the pool.\n\nNote that the value ofis global, affecting the trust\non all hardware random number generators.\n\nSelect the appropriate confidence by adding the argumentto the default\nGRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "The kernel may merge similar slabs together to reduce overhead and increase\ncache hotness of objects.\nDisabling merging of slabs keeps the slabs separate and reduces the risk of\nkernel heap overflows overwriting objects in merged caches.\n\nTo disable merging of slabs in the Kernel add the argumentto the default GRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "group_id": "xccdf_org.ssgproject.content_group_bootloader-grub2",
+ "group_title": "GRUB2 bootloader configuration",
+ "group_description": "During the boot process, the boot loader is\nresponsible for starting the execution of the kernel and passing\noptions to it. The boot loader allows for the selection of\ndifferent kernels - possibly on different partitions or media.\nThe default Ubuntu 18.04 boot loader for x86 systems is called GRUB2.\nOptions it can pass to the kernel include, which\nprovides root access without any authentication, and the ability to\ndisable SELinux. To prevent local users from modifying the boot\nparameters and endangering security, protect the boot loader configuration\nwith a password and ensure its configuration file's permissions\nare set properly.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_slab_nomerge_argument:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_slab_nomerge_argument_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable merging of slabs with similar size",
+ "id": "xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument",
+ "desc": "The kernel may merge similar slabs together to reduce overhead and increase\ncache hotness of objects.\nDisabling merging of slabs keeps the slabs separate and reduces the risk of\nkernel heap overflows overwriting objects in merged caches.\n\nTo disable merging of slabs in the Kernel add the argumentto the default GRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "descriptions": [
+ {
+ "data": "Disabling the merge of slabs of similar sizes prevents the kernel from\nmerging a seemingly useless but vulnerable slab with a useful and valuable slab.\nThis increase the risk that a heap overflow could overwrite objects from merged caches,\nwith unmerged caches the heap overflow would only affect the objects in the same cache.\nOverall, this reduces the kernel attack surface area by isolating slabs from each other.",
+ "label": "rationale"
+ },
+ {
+ "data": "Disabling merge of slabs will slightly increase kernel memory utilization.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable merging of slabs with similar size\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"slab_nomerge=yes\",\n \"slab_nomerge=yes\",\n \"slab_nomerge=yes\",\n \"/etc/default/grub\"\n ],\n \"pre\": [\n \"GRUB_CMDLINE_LINUX=\\\"... slab_nomerge=yes ...\\\"\",\n \"# update-grub\"\n ],\n \"text\": \"The kernel may merge similar slabs together to reduce overhead and increase\\ncache hotness of objects.\\nDisabling merging of slabs keeps the slabs separate and reduces the risk of\\nkernel heap overflows overwriting objects in merged caches.\\n\\nTo disable merging of slabs in the Kernel add the argumentto the default GRUB 2 command line for the Linux operating system.\\nTo ensure thatis added as a kernel command line\\nargument to newly installed kernels, addto the\\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Disabling merge of slabs will slightly increase kernel memory utilization.\",\n \"lang\": \"en-US\",\n \"category\": \"performance\"\n },\n \"rationale\": {\n \"text\": \"Disabling the merge of slabs of similar sizes prevents the kernel from\\nmerging a seemingly useless but vulnerable slab with a useful and valuable slab.\\nThis increase the risk that a heap overflow could overwrite objects from merged caches,\\nwith unmerged caches the heap overflow would only affect the objects in the same cache.\\nOverall, this reduces the kernel attack surface area by isolating slabs from each other.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\\n\\n# Correct the form of default kernel command line in GRUB\\nif grep -q '^GRUB_CMDLINE_LINUX=.*slab_nomerge=.*\\\"' '/etc/default/grub' ; then\\n # modify the GRUB command-line if an slab_nomerge= arg already exists\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)slab_nomerge=[^[:space:]]\\\\+\\\\(.*\\\\\\\"\\\\)/\\\\1slab_nomerge=yes\\\\2/\\\" '/etc/default/grub'\\nelse\\n # no slab_nomerge=arg is present, append it\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)\\\\\\\"/\\\\1 slab_nomerge=yes\\\\\\\"/\\\" '/etc/default/grub'\\nfi\\nupdate-grub\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"grub2_slab_nomerge_argument\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"[customizations.kernel]\\nappend = \\\"slab_nomerge=yes\\\"\",\n \"id\": \"grub2_slab_nomerge_argument\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_slab_nomerge_argument:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_slab_nomerge_argument_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The kernel may merge similar slabs together to reduce overhead and increase\ncache hotness of objects.\nDisabling merging of slabs keeps the slabs separate and reduces the risk of\nkernel heap overflows overwriting objects in merged caches.\n\nTo disable merging of slabs in the Kernel add the argumentto the default GRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Certain CPUs are vulnerable to an exploit against a common wide industry wide performance\noptimization known as Speculative Store Bypass (SSB).\n\nIn such cases, recent stores to the same memory location cannot always be observed by later\nloads during speculative execution. However, such stores are unlikely and thus they can be\ndetected prior to instruction retirement at the end of a particular speculation execution\nwindow.\n\nSince Linux Kernel 4.17 you can check the SSB mitigation state with the following command:Select the appropriate SSB state by adding the argumentto the default\nGRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "group_id": "xccdf_org.ssgproject.content_group_bootloader-grub2",
+ "group_title": "GRUB2 bootloader configuration",
+ "group_description": "During the boot process, the boot loader is\nresponsible for starting the execution of the kernel and passing\noptions to it. The boot loader allows for the selection of\ndifferent kernels - possibly on different partitions or media.\nThe default Ubuntu 18.04 boot loader for x86 systems is called GRUB2.\nOptions it can pass to the kernel include, which\nprovides root access without any authentication, and the ability to\ndisable SELinux. To prevent local users from modifying the boot\nparameters and endangering security, protect the boot loader configuration\nwith a password and ensure its configuration file's permissions\nare set properly.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_spec_store_bypass_disable_options:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_spec_store_bypass_disable_argument:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_spec_store_bypass_disable_argument_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Spec Store Bypass Mitigation",
+ "lang": "en-US"
+ },
+ "description": "This controls how the Speculative Store Bypass (SSB) vulnerability is mitigated.",
+ "value": [
+ "prctl",
+ {
+ "text": "on",
+ "selector": "on"
+ },
+ {
+ "text": "auto",
+ "selector": "auto"
+ },
+ {
+ "text": "prctl",
+ "selector": "prctl"
+ },
+ {
+ "text": "seccomp",
+ "selector": "seccomp"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Configure Speculative Store Bypass Mitigation",
+ "id": "xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument",
+ "desc": "Certain CPUs are vulnerable to an exploit against a common wide industry wide performance\noptimization known as Speculative Store Bypass (SSB).\n\nIn such cases, recent stores to the same memory location cannot always be observed by later\nloads during speculative execution. However, such stores are unlikely and thus they can be\ndetected prior to instruction retirement at the end of a particular speculation execution\nwindow.\n\nSince Linux Kernel 4.17 you can check the SSB mitigation state with the following command:Select the appropriate SSB state by adding the argumentto the default\nGRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "descriptions": [
+ {
+ "data": "In vulnerable processsors, the speculatively forwarded store can be used in a cache side channel\nattack. An example of this is reading memory to which the attacker does not directly have access,\nfor example inside the sandboxed code.",
+ "label": "rationale"
+ },
+ {
+ "data": "Disabling Speculative Store Bypass may impact performance of the system.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure Speculative Store Bypass Mitigation\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass\",\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options\",\n \"use\": \"legacy\"\n },\n \"text\": \"spec_store_bypass_disable=\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options\",\n \"use\": \"legacy\"\n },\n \"text\": \"spec_store_bypass_disable=\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options\",\n \"use\": \"legacy\"\n },\n \"text\": \"spec_store_bypass_disable=\"\n },\n \"/etc/default/grub\"\n ],\n \"pre\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options\",\n \"use\": \"legacy\"\n },\n \"text\": \"GRUB_CMDLINE_LINUX=\\\"... spec_store_bypass_disable=...\\\"\"\n },\n \"# update-grub\"\n ],\n \"text\": \"Certain CPUs are vulnerable to an exploit against a common wide industry wide performance\\noptimization known as Speculative Store Bypass (SSB).\\n\\nIn such cases, recent stores to the same memory location cannot always be observed by later\\nloads during speculative execution. However, such stores are unlikely and thus they can be\\ndetected prior to instruction retirement at the end of a particular speculation execution\\nwindow.\\n\\nSince Linux Kernel 4.17 you can check the SSB mitigation state with the following command:Select the appropriate SSB state by adding the argumentto the default\\nGRUB 2 command line for the Linux operating system.\\nTo ensure thatis added as a kernel command line\\nargument to newly installed kernels, addto the\\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Disabling Speculative Store Bypass may impact performance of the system.\",\n \"lang\": \"en-US\",\n \"category\": \"performance\"\n },\n \"rationale\": {\n \"text\": \"In vulnerable processsors, the speculatively forwarded store can be used in a cache side channel\\nattack. An example of this is reading memory to which the attacker does not directly have access,\\nfor example inside the sandboxed code.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\\n\\nvar_spec_store_bypass_disable_options=''\\n\\n\\n\\n\\n# Correct the form of default kernel command line in GRUB\\nif grep -q '^GRUB_CMDLINE_LINUX=.*spec_store_bypass_disable=.*\\\"' '/etc/default/grub' ; then\\n # modify the GRUB command-line if an spec_store_bypass_disable= arg already exists\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)spec_store_bypass_disable=[^[:space:]]\\\\+\\\\(.*\\\\\\\"\\\\)/\\\\1spec_store_bypass_disable=$var_spec_store_bypass_disable_options\\\\2/\\\" '/etc/default/grub'\\nelse\\n # no spec_store_bypass_disable=arg is present, append it\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)\\\\\\\"/\\\\1 spec_store_bypass_disable=$var_spec_store_bypass_disable_options\\\\\\\"/\\\" '/etc/default/grub'\\nfi\\nupdate-grub\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"grub2_spec_store_bypass_disable_argument\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options\",\n \"use\": \"legacy\"\n },\n \"text\": \"[customizations.kernel]\\nappend = \\\"spec_store_bypass_disable=\\\"\",\n \"id\": \"grub2_spec_store_bypass_disable_argument\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_spec_store_bypass_disable_options:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_spec_store_bypass_disable_argument:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_spec_store_bypass_disable_argument_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Certain CPUs are vulnerable to an exploit against a common wide industry wide performance\noptimization known as Speculative Store Bypass (SSB).\n\nIn such cases, recent stores to the same memory location cannot always be observed by later\nloads during speculative execution. However, such stores are unlikely and thus they can be\ndetected prior to instruction retirement at the end of a particular speculation execution\nwindow.\n\nSince Linux Kernel 4.17 you can check the SSB mitigation state with the following command:Select the appropriate SSB state by adding the argumentto the default\nGRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "high",
+ "description": "Spectre V2 is an indirect branch poisoning attack that can lead to data leakage.\nAn exploit for Spectre V2 tricks the indirect branch predictor into executing\ncode from a future indirect branch chosen by the attacker, even if the privilege\nlevel is different.\n\nSince Linux Kernel 4.15 you can check the Spectre V2 mitigation state with the following command:Enforce the Spectre V2 mitigation by adding the argumentto the default\nGRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "group_id": "xccdf_org.ssgproject.content_group_bootloader-grub2",
+ "group_title": "GRUB2 bootloader configuration",
+ "group_description": "During the boot process, the boot loader is\nresponsible for starting the execution of the kernel and passing\noptions to it. The boot loader allows for the selection of\ndifferent kernels - possibly on different partitions or media.\nThe default Ubuntu 18.04 boot loader for x86 systems is called GRUB2.\nOptions it can pass to the kernel include, which\nprovides root access without any authentication, and the ability to\ndisable SELinux. To prevent local users from modifying the boot\nparameters and endangering security, protect the boot loader configuration\nwith a password and ensure its configuration file's permissions\nare set properly.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_spectre_v2_argument:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_spectre_v2_argument_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enforce Spectre v2 mitigation",
+ "id": "xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument",
+ "desc": "Spectre V2 is an indirect branch poisoning attack that can lead to data leakage.\nAn exploit for Spectre V2 tricks the indirect branch predictor into executing\ncode from a future indirect branch chosen by the attacker, even if the privilege\nlevel is different.\n\nSince Linux Kernel 4.15 you can check the Spectre V2 mitigation state with the following command:Enforce the Spectre V2 mitigation by adding the argumentto the default\nGRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "descriptions": [
+ {
+ "data": "The Spectre V2 vulnerability allows an attacker to read memory that he should not have\naccess to.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Enforce Spectre v2 mitigation\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"cat /sys/devices/system/cpu/vulnerabilities/spectre_v2\",\n \"spectre_v2=on\",\n \"spectre_v2=on)\",\n \"spectre_v2=on)\",\n \"/etc/default/grub\"\n ],\n \"pre\": [\n \"GRUB_CMDLINE_LINUX=\\\"... spectre_v2=on) ...\\\"\",\n \"# update-grub\"\n ],\n \"text\": \"Spectre V2 is an indirect branch poisoning attack that can lead to data leakage.\\nAn exploit for Spectre V2 tricks the indirect branch predictor into executing\\ncode from a future indirect branch chosen by the attacker, even if the privilege\\nlevel is different.\\n\\nSince Linux Kernel 4.15 you can check the Spectre V2 mitigation state with the following command:Enforce the Spectre V2 mitigation by adding the argumentto the default\\nGRUB 2 command line for the Linux operating system.\\nTo ensure thatis added as a kernel command line\\nargument to newly installed kernels, addto the\\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"The Spectre V2 vulnerability allows an attacker to read memory that he should not have\\naccess to.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\\n\\n# Correct the form of default kernel command line in GRUB\\nif grep -q '^GRUB_CMDLINE_LINUX=.*spectre_v2=.*\\\"' '/etc/default/grub' ; then\\n # modify the GRUB command-line if an spectre_v2= arg already exists\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)spectre_v2=[^[:space:]]\\\\+\\\\(.*\\\\\\\"\\\\)/\\\\1spectre_v2=on\\\\2/\\\" '/etc/default/grub'\\nelse\\n # no spectre_v2=arg is present, append it\\n sed -i \\\"s/\\\\(^GRUB_CMDLINE_LINUX=\\\\\\\".*\\\\)\\\\\\\"/\\\\1 spectre_v2=on\\\\\\\"/\\\" '/etc/default/grub'\\nfi\\nupdate-grub\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"grub2_spectre_v2_argument\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"[customizations.kernel]\\nappend = \\\"spectre_v2=on\\\"\",\n \"id\": \"grub2_spectre_v2_argument\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_spectre_v2_argument:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_spectre_v2_argument_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Spectre V2 is an indirect branch poisoning attack that can lead to data leakage.\nAn exploit for Spectre V2 tricks the indirect branch predictor into executing\ncode from a future indirect branch chosen by the attacker, even if the privilege\nlevel is different.\n\nSince Linux Kernel 4.15 you can check the Spectre V2 mitigation state with the following command:Enforce the Spectre V2 mitigation by adding the argumentto the default\nGRUB 2 command line for the Linux operating system.\nTo ensure thatis added as a kernel command line\nargument to newly installed kernels, addto the\ndefault Grub2 command line for Linux operating systems. Modify the line withinas shown below:Run the following command to update command line for already installed kernels:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "systemd'sservice is intended to\ndiagnose systemd related boot issues with variouscommands. Once enabled and following a system reboot, the root shell\nwill be available onwhich is access by pressing. Theservice should only be used\nfor systemd related issues and should otherwise be disabled.By default, thesystemd service is already disabled.\n\nEnsure the debug-shell is not enabled by theboot paramenter option.\n\nCheck that the linewithindoesn't contain the argument.\nRun the following command to update command line for already installed kernels:",
+ "group_id": "xccdf_org.ssgproject.content_group_bootloader-grub2",
+ "group_title": "GRUB2 bootloader configuration",
+ "group_description": "During the boot process, the boot loader is\nresponsible for starting the execution of the kernel and passing\noptions to it. The boot loader allows for the selection of\ndifferent kernels - possibly on different partitions or media.\nThe default Ubuntu 18.04 boot loader for x86 systems is called GRUB2.\nOptions it can pass to the kernel include, which\nprovides root access without any authentication, and the ability to\ndisable SELinux. To prevent local users from modifying the boot\nparameters and endangering security, protect the boot loader configuration\nwith a password and ensure its configuration file's permissions\nare set properly.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_systemd_debug-shell_argument_absent:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_systemd_debug-shell_argument_absent_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "grub2_systemd_debug-shell_argument_absent",
+ "reference": {
+ "references": {
+ "text": "FIA_UAU.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm",
+ "ref": [
+ {
+ "text": "FIA_UAU.1"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure debug-shell service is not enabled during boot",
+ "id": "xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent",
+ "desc": "systemd'sservice is intended to\ndiagnose systemd related boot issues with variouscommands. Once enabled and following a system reboot, the root shell\nwill be available onwhich is access by pressing. Theservice should only be used\nfor systemd related issues and should otherwise be disabled.By default, thesystemd service is already disabled.\n\nEnsure the debug-shell is not enabled by theboot paramenter option.\n\nCheck that the linewithindoesn't contain the argument.\nRun the following command to update command line for already installed kernels:",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif dpkg-query --show --showformat='${db:Status-Status}\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\n\n# Correct the form of default kernel command line in GRUB\nif grep -q '^GRUB_CMDLINE_LINUX=.*systemd.debug-shell=.*\"' '/etc/default/grub' ; then\n sed -i 's/\\(^GRUB_CMDLINE_LINUX=\".*\\)systemd.debug-shell=?[^[:space:]]*\\(.*\"\\)/\\1 \\2/' '/etc/default/grub'\nfi\nupdate-grub\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "This prevents attackers with physical access from trivially bypassing security\non the machine through valid troubleshooting configurations and gaining root\naccess when the system is rebooted.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure debug-shell service is not enabled during boot\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"debug-shell\",\n \"systemctl\",\n \"tty9\",\n \"CTRL-ALT-F9\",\n \"debug-shell\",\n \"debug-shell\",\n \"systemd.debug-shel=1\",\n \"/etc/default/grub\",\n \"systemd.debug-shell=1\"\n ],\n \"br\": [\n \"\",\n \"\"\n ],\n \"pre\": [\n \"GRUB_CMDLINE_LINUX=\\\"...\\\"\",\n \"# grubby --update-kernel=ALL --remove-args=\\\"systemd.debug-shell\\\"\"\n ],\n \"text\": \"systemd'sservice is intended to\\ndiagnose systemd related boot issues with variouscommands. Once enabled and following a system reboot, the root shell\\nwill be available onwhich is access by pressing. Theservice should only be used\\nfor systemd related issues and should otherwise be disabled.By default, thesystemd service is already disabled.\\n\\nEnsure the debug-shell is not enabled by theboot paramenter option.\\n\\nCheck that the linewithindoesn't contain the argument.\\nRun the following command to update command line for already installed kernels:\",\n \"lang\": \"en-US\"\n },\n \"reference\": {\n \"text\": \"FIA_UAU.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n \"rationale\": {\n \"text\": \"This prevents attackers with physical access from trivially bypassing security\\non the machine through valid troubleshooting configurations and gaining root\\naccess when the system is rebooted.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then\\n\\n# Correct the form of default kernel command line in GRUB\\nif grep -q '^GRUB_CMDLINE_LINUX=.*systemd.debug-shell=.*\\\"' '/etc/default/grub' ; then\\n sed -i 's/\\\\(^GRUB_CMDLINE_LINUX=\\\".*\\\\)systemd.debug-shell=?[^[:space:]]*\\\\(.*\\\"\\\\)/\\\\1 \\\\2/' '/etc/default/grub'\\nfi\\nupdate-grub\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"grub2_systemd_debug-shell_argument_absent\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-grub2_systemd_debug-shell_argument_absent:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-grub2_systemd_debug-shell_argument_absent_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "systemd'sservice is intended to\ndiagnose systemd related boot issues with variouscommands. Once enabled and following a system reboot, the root shell\nwill be available onwhich is access by pressing. Theservice should only be used\nfor systemd related issues and should otherwise be disabled.By default, thesystemd service is already disabled.\n\nEnsure the debug-shell is not enabled by theboot paramenter option.\n\nCheck that the linewithindoesn't contain the argument.\nRun the following command to update command line for already installed kernels:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "For each solid-state drive on the system, run:",
+ "group_id": "xccdf_org.ssgproject.content_group_entropy",
+ "group_title": "Protect Random-Number Entropy Pool",
+ "group_description": "The I/O operations of the Linux kernel block layer due to their inherently\nunpredictable execution times have been traditionally considered as a reliable\nsource to contribute to random-number entropy pool of the Linux kernel. This\nhas changed with introduction of solid-state storage devices (SSDs) though.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_disable_entropy_contribution_for_solid_state_drives",
+ "check": "\"\"",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_disable_entropy_contribution_for_solid_state_drives",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_disable_entropy_contribution_for_solid_state_drives",
+ "desc": "For each solid-state drive on the system, run:",
+ "descriptions": [
+ {
+ "data": "In contrast to traditional electromechanical magnetic disks, containing\nspinning disks and / or movable read / write heads, the solid-state storage\ndevices (SSDs) do not contain moving / mechanical components. Therefore the\nI/O operation completion times are much more predictable for them.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": \"# echo 0 > /sys/block/DRIVE/queue/add_random\",\n \"text\": \"For each solid-state drive on the system, run:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"In contrast to traditional electromechanical magnetic disks, containing\\nspinning disks and / or movable read / write heads, the solid-state storage\\ndevices (SSDs) do not contain moving / mechanical components. Therefore the\\nI/O operation completion times are much more predictable for them.\",\n \"lang\": \"en-US\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_disable_entropy_contribution_for_solid_state_drives\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "For each solid-state drive on the system, run:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting\nthe system.\nThis configuration is available from kernel 3.0.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_acpi_custom_method",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_acpi_custom_method:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_acpi_custom_method_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_acpi_custom_method",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Do not allow ACPI methods to be inserted/replaced at run time",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_acpi_custom_method",
+ "desc": "This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting\nthe system.\nThis configuration is available from kernel 3.0.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "Enabling this feature allows arbitrary kernel memory to be written to by root (uid=0) users,\nallowing them to bypass certain security measures",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Do not allow ACPI methods to be inserted/replaced at run time\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_ACPI_CUSTOM_METHOD\",\n \"grep CONFIG_ACPI_CUSTOM_METHOD /boot/config-*\"\n ],\n \"text\": \"This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting\\nthe system.\\nThis configuration is available from kernel 3.0.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Enabling this feature allows arbitrary kernel memory to be written to by root (uid=0) users,\\nallowing them to bypass certain security measures\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_acpi_custom_method:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_acpi_custom_method_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_acpi_custom_method\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting\nthe system.\nThis configuration is available from kernel 3.0.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Enablingmakes it possible to plug wrapper-driven binary formats\ninto the kernel. This is specially useful for programs that need an interpreter to run like\nJava, Python and DOS emulators. Once you have registered such a binary class with the kernel,\nyou can start one of those programs simply by typing in its name at a shell prompt.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_binfmt_misc",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_binfmt_misc:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_binfmt_misc_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_binfmt_misc",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable kernel support for MISC binaries",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_binfmt_misc",
+ "desc": "Enablingmakes it possible to plug wrapper-driven binary formats\ninto the kernel. This is specially useful for programs that need an interpreter to run like\nJava, Python and DOS emulators. Once you have registered such a binary class with the kernel,\nyou can start one of those programs simply by typing in its name at a shell prompt.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "This disables arbitrary binary format support and helps reduce attack surface.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable kernel support for MISC binaries\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"CONFIG_BINFMT_MISC\",\n \"/boot/config-*\",\n \"CONFIG_BINFMT_MISC\",\n \"grep CONFIG_BINFMT_MISC /boot/config-*\"\n ],\n \"text\": \"Enablingmakes it possible to plug wrapper-driven binary formats\\ninto the kernel. This is specially useful for programs that need an interpreter to run like\\nJava, Python and DOS emulators. Once you have registered such a binary class with the kernel,\\nyou can start one of those programs simply by typing in its name at a shell prompt.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This disables arbitrary binary format support and helps reduce attack surface.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_binfmt_misc:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_binfmt_misc_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_binfmt_misc\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Enablingmakes it possible to plug wrapper-driven binary formats\ninto the kernel. This is specially useful for programs that need an interpreter to run like\nJava, Python and DOS emulators. Once you have registered such a binary class with the kernel,\nyou can start one of those programs simply by typing in its name at a shell prompt.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Disabling this option eliminates support for BUG and WARN, reducing the size of your kernel\nimage and potentially quietly ignoring numerous fatal conditions. You should only consider\ndisabling this option for embedded systems with no facilities for reporting errors.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_bug",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_bug:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_bug_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_bug",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable support for BUG()",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_bug",
+ "desc": "Disabling this option eliminates support for BUG and WARN, reducing the size of your kernel\nimage and potentially quietly ignoring numerous fatal conditions. You should only consider\ndisabling this option for embedded systems with no facilities for reporting errors.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "Not setting this variable may hide a number of critical errors.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable support for BUG()\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_BUG\",\n \"grep CONFIG_BUG /boot/config-*\"\n ],\n \"text\": \"Disabling this option eliminates support for BUG and WARN, reducing the size of your kernel\\nimage and potentially quietly ignoring numerous fatal conditions. You should only consider\\ndisabling this option for embedded systems with no facilities for reporting errors.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Not setting this variable may hide a number of critical errors.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_bug:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_bug_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_bug\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Disabling this option eliminates support for BUG and WARN, reducing the size of your kernel\nimage and potentially quietly ignoring numerous fatal conditions. You should only consider\ndisabling this option for embedded systems with no facilities for reporting errors.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Enabling compatiliby withallows legacy binaries to run (i.e. those linked\nagainst libc5). But this compatibility comes at the cost of not being able to randomize\nthe heap placement (ASLR).\n\nUnless legacy binaries need to run on the system, setto.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_compat_brk",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_compat_brk:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_compat_brk_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_compat_brk",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable compatibility with brk()",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_compat_brk",
+ "desc": "Enabling compatiliby withallows legacy binaries to run (i.e. those linked\nagainst libc5). But this compatibility comes at the cost of not being able to randomize\nthe heap placement (ASLR).\n\nUnless legacy binaries need to run on the system, setto.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "Enabling compatibility with brk() disables support for ASLR.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable compatibility with brk()\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"brk()\",\n \"CONFIG_COMPAT_BRK\",\n \"\\\"n\\\"\",\n \"/boot/config-*\",\n \"CONFIG_COMPAT_BRK\",\n \"grep CONFIG_COMPAT_BRK /boot/config-*\"\n ],\n \"text\": \"Enabling compatiliby withallows legacy binaries to run (i.e. those linked\\nagainst libc5). But this compatibility comes at the cost of not being able to randomize\\nthe heap placement (ASLR).\\n\\nUnless legacy binaries need to run on the system, setto.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Enabling compatibility with brk() disables support for ASLR.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_compat_brk:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_compat_brk_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_compat_brk\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Enabling compatiliby withallows legacy binaries to run (i.e. those linked\nagainst libc5). But this compatibility comes at the cost of not being able to randomize\nthe heap placement (ASLR).\n\nUnless legacy binaries need to run on the system, setto.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO\nthat is not mapped at the address indicated in its segment table.\nSettingtoturns off the 32-bit VDSO and works\naroud the glibc bug.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_compat_vdso",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_compat_vdso:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_compat_vdso_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_compat_vdso",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable the 32-bit vDSO",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_compat_vdso",
+ "desc": "Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO\nthat is not mapped at the address indicated in its segment table.\nSettingtoturns off the 32-bit VDSO and works\naroud the glibc bug.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "Enabling VDSO compatibility hurts performance and disables ASLR.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Disable the 32-bit vDSO\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"CONFIG_COMPAT_VDSO\",\n \"y\",\n \"/boot/config-*\",\n \"CONFIG_COMPAT_VDSO\",\n \"grep CONFIG_COMPAT_VDSO /boot/config-*\"\n ],\n \"text\": \"Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO\\nthat is not mapped at the address indicated in its segment table.\\nSettingtoturns off the 32-bit VDSO and works\\naroud the glibc bug.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Enabling VDSO compatibility hurts performance and disables ASLR.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_compat_vdso:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_compat_vdso_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_compat_vdso\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO\nthat is not mapped at the address indicated in its segment table.\nSettingtoturns off the 32-bit VDSO and works\naroud the glibc bug.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "Enable this to turn on some debug checking for credential management. The additional code keeps\ntrack of the number of pointers from task_structs to any given cred struct, and checks to see\nthat this number never exceeds the usage count of the cred struct.\n\nFurthermore, if SELinux is enabled, this also checks that the security pointer in the cred\nstruct is never seen to be invalid.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_debug_credentials",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_debug_credentials:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_debug_credentials_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_debug_credentials",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable checks on credential management",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_debug_credentials",
+ "desc": "Enable this to turn on some debug checking for credential management. The additional code keeps\ntrack of the number of pointers from task_structs to any given cred struct, and checks to see\nthat this number never exceeds the usage count of the cred struct.\n\nFurthermore, if SELinux is enabled, this also checks that the security pointer in the cred\nstruct is never seen to be invalid.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This adds sanity checks and validations to credential data structures.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Enable checks on credential management\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_DEBUG_CREDENTIALS\",\n \"grep CONFIG_DEBUG_CREDENTIALS /boot/config-*\"\n ],\n \"text\": \"Enable this to turn on some debug checking for credential management. The additional code keeps\\ntrack of the number of pointers from task_structs to any given cred struct, and checks to see\\nthat this number never exceeds the usage count of the cred struct.\\n\\nFurthermore, if SELinux is enabled, this also checks that the security pointer in the cred\\nstruct is never seen to be invalid.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This adds sanity checks and validations to credential data structures.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_debug_credentials:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_debug_credentials_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_debug_credentials\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Enable this to turn on some debug checking for credential management. The additional code keeps\ntrack of the number of pointers from task_structs to any given cred struct, and checks to see\nthat this number never exceeds the usage count of the cred struct.\n\nFurthermore, if SELinux is enabled, this also checks that the security pointer in the cred\nstruct is never seen to be invalid.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "is a virtual file system that kernel developers use to put debugging files\ninto. Enable this option to be able to read and write to these files.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_debug_fs",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_debug_fs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_debug_fs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_debug_fs",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable kernel debugfs",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_debug_fs",
+ "desc": "is a virtual file system that kernel developers use to put debugging files\ninto. Enable this option to be able to read and write to these files.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "To reduce the attack surface, this file system should be disabled if not in use.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Disable kernel debugfs\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"debugfs\",\n \"/boot/config-*\",\n \"CONFIG_DEBUG_FS\",\n \"grep CONFIG_DEBUG_FS /boot/config-*\"\n ],\n \"text\": \"is a virtual file system that kernel developers use to put debugging files\\ninto. Enable this option to be able to read and write to these files.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"To reduce the attack surface, this file system should be disabled if not in use.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_debug_fs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_debug_fs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_debug_fs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "is a virtual file system that kernel developers use to put debugging files\ninto. Enable this option to be able to read and write to these files.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "Enable this to turn on extended checks in the linked-list walking routines.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_debug_list",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_debug_list:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_debug_list_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_debug_list",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable checks on linked list manipulation",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_debug_list",
+ "desc": "Enable this to turn on extended checks in the linked-list walking routines.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This add sanity checks to manipulation of linked lists structures in the kernel and may\nprevent exploits such as CVE-2017-1661, where a race condition and simultaneos operations\ncaused a list to corrupt.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Enable checks on linked list manipulation\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_DEBUG_LIST\",\n \"grep CONFIG_DEBUG_LIST /boot/config-*\"\n ],\n \"text\": \"Enable this to turn on extended checks in the linked-list walking routines.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This add sanity checks to manipulation of linked lists structures in the kernel and may\\nprevent exploits such as CVE-2017-1661, where a race condition and simultaneos operations\\ncaused a list to corrupt.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_debug_list:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_debug_list_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_debug_list\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Enable this to turn on extended checks in the linked-list walking routines.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel\ndevelopers to make sure that modules properly unregister themselves from notifier chains.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_debug_notifiers",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_debug_notifiers:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_debug_notifiers_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_debug_notifiers",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable checks on notifier call chains",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_debug_notifiers",
+ "desc": "Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel\ndevelopers to make sure that modules properly unregister themselves from notifier chains.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This provides validation of notifier chains, it checks whether the notifiers are from the\nkernel or a module that is still loaded prior to being invoked.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Enable checks on notifier call chains\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_DEBUG_NOTIFIERS\",\n \"grep CONFIG_DEBUG_NOTIFIERS /boot/config-*\"\n ],\n \"text\": \"Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel\\ndevelopers to make sure that modules properly unregister themselves from notifier chains.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This provides validation of notifier chains, it checks whether the notifiers are from the\\nkernel or a module that is still loaded prior to being invoked.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_debug_notifiers:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_debug_notifiers_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_debug_notifiers\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel\ndevelopers to make sure that modules properly unregister themselves from notifier chains.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "Scatter-gather tables are mechanism used for high performance I/O on DMA devices.\nEnable this to turn on checks on scatter-gather tables.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_debug_sg",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_debug_sg:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_debug_sg_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_debug_sg",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable checks on scatter-gather (SG) table operations",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_debug_sg",
+ "desc": "Scatter-gather tables are mechanism used for high performance I/O on DMA devices.\nEnable this to turn on checks on scatter-gather tables.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This can help find problems with drivers that do not properly initialize their SG tables.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Enable checks on scatter-gather (SG) table operations\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_DEBUG_SG\",\n \"grep CONFIG_DEBUG_SG /boot/config-*\"\n ],\n \"text\": \"Scatter-gather tables are mechanism used for high performance I/O on DMA devices.\\nEnable this to turn on checks on scatter-gather tables.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This can help find problems with drivers that do not properly initialize their SG tables.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_debug_sg:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_debug_sg_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_debug_sg\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Scatter-gather tables are mechanism used for high performance I/O on DMA devices.\nEnable this to turn on checks on scatter-gather tables.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "This is the portion of low virtual memory which should be protected from userspace allocation.\nThis configuration is available from kernel 3.14, but may be available if backported\nby distros.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"65536\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_default_mmap_min_addr",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_default_mmap_min_addr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_default_mmap_min_addr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_default_mmap_min_addr",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Configure low address space to protect from user allocation",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_default_mmap_min_addr",
+ "desc": "This is the portion of low virtual memory which should be protected from userspace allocation.\nThis configuration is available from kernel 3.14, but may be available if backported\nby distros.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"65536\" should be returned.",
+ "descriptions": [
+ {
+ "data": "Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure low address space to protect from user allocation\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_DEFAULT_MMAP_MIN_ADDR\",\n \"grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config-*\"\n ],\n \"text\": \"This is the portion of low virtual memory which should be protected from userspace allocation.\\nThis configuration is available from kernel 3.14, but may be available if backported\\nby distros.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"65536\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_default_mmap_min_addr:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_default_mmap_min_addr_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_default_mmap_min_addr\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "This is the portion of low virtual memory which should be protected from userspace allocation.\nThis configuration is available from kernel 3.14, but may be available if backported\nby distros.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"65536\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "Disable support for the /dev/kmem device.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_devkmem",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_devkmem:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_devkmem_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_devkmem",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable /dev/kmem virtual device support",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_devkmem",
+ "desc": "Disable support for the /dev/kmem device.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "The /dev/kmem device is rarely used, but can be used for certain kind of kernel debugging\noperations.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Disable /dev/kmem virtual device support\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_DEVKMEM\",\n \"grep CONFIG_DEVKMEM /boot/config-*\"\n ],\n \"text\": \"Disable support for the /dev/kmem device.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"The /dev/kmem device is rarely used, but can be used for certain kind of kernel debugging\\noperations.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_devkmem:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_devkmem_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_devkmem\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Disable support for the /dev/kmem device.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Enable the suspend to disk (STD) functionality, which is usually called \"hibernation\" in user\ninterfaces. STD checkpoints the system and powers it off; and restores that checkpoint on\nreboot.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_hibernation",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_hibernation:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_hibernation_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_hibernation",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable hibernation",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_hibernation",
+ "desc": "Enable the suspend to disk (STD) functionality, which is usually called \"hibernation\" in user\ninterfaces. STD checkpoints the system and powers it off; and restores that checkpoint on\nreboot.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "Suspending to disk allows one to replace the running kernel.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable hibernation\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_HIBERNATION\",\n \"grep CONFIG_HIBERNATION /boot/config-*\"\n ],\n \"text\": \"Enable the suspend to disk (STD) functionality, which is usually called \\\"hibernation\\\" in user\\ninterfaces. STD checkpoints the system and powers it off; and restores that checkpoint on\\nreboot.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Suspending to disk allows one to replace the running kernel.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_hibernation:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_hibernation_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_hibernation\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Enable the suspend to disk (STD) functionality, which is usually called \"hibernation\" in user\ninterfaces. STD checkpoints the system and powers it off; and restores that checkpoint on\nreboot.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Disables support for legacy 32-bit programs under a 64-bit kernel.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_ia32_emulation",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_ia32_emulation:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_ia32_emulation_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_ia32_emulation",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable IA32 emulation",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_ia32_emulation",
+ "desc": "Disables support for legacy 32-bit programs under a 64-bit kernel.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "Disabling 32-bit backwards compatibility helps reduce the attack surface.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable IA32 emulation\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_IA32_EMULATION\",\n \"grep CONFIG_IA32_EMULATION /boot/config-*\"\n ],\n \"text\": \"Disables support for legacy 32-bit programs under a 64-bit kernel.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": [\n {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n {\n \"text\": \"Only disable support for 32-bit programs if you are sure you don't need any 32-bit program.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n }\n ],\n \"rationale\": {\n \"text\": \"Disabling 32-bit backwards compatibility helps reduce the attack surface.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_ia32_emulation:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_ia32_emulation_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_ia32_emulation\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Disables support for legacy 32-bit programs under a 64-bit kernel.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Disable support for IP version 6 (IPv6).\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_ipv6",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_ipv6:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_ipv6_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_ipv6",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable the IPv6 protocol",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_ipv6",
+ "desc": "Disable support for IP version 6 (IPv6).\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "Any unnecessary network stacks, including IPv6, should be disabled to reduce\nthe vulnerability to exploitation.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable the IPv6 protocol\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_IPV6\",\n \"grep CONFIG_IPV6 /boot/config-*\"\n ],\n \"text\": \"Disable support for IP version 6 (IPv6).\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Any unnecessary network stacks, including IPv6, should be disabled to reduce\\nthe vulnerability to exploitation.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_ipv6:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_ipv6_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_ipv6\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Disable support for IP version 6 (IPv6).\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "is a system call that implements the ability to shutdown your current kernel,\nand to start another kernel. It is like a reboot but it is independent of the system firmware.\nAnd like a reboot you can start any kernel with it, not just Linux.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_kexec",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_kexec:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_kexec_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_kexec",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable kexec system call",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_kexec",
+ "desc": "is a system call that implements the ability to shutdown your current kernel,\nand to start another kernel. It is like a reboot but it is independent of the system firmware.\nAnd like a reboot you can start any kernel with it, not just Linux.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "Prohibits the execution of a new kernel image after reboot.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Disable kexec system call\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"kexec\",\n \"/boot/config-*\",\n \"CONFIG_KEXEC\",\n \"grep CONFIG_KEXEC /boot/config-*\"\n ],\n \"text\": \"is a system call that implements the ability to shutdown your current kernel,\\nand to start another kernel. It is like a reboot but it is independent of the system firmware.\\nAnd like a reboot you can start any kernel with it, not just Linux.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Prohibits the execution of a new kernel image after reboot.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_kexec:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_kexec_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_kexec\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "is a system call that implements the ability to shutdown your current kernel,\nand to start another kernel. It is like a reboot but it is independent of the system firmware.\nAnd like a reboot you can start any kernel with it, not just Linux.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for\nslaves of pseudo terminals, and use only the modern ptys (devpts) interface.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_legacy_ptys",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_legacy_ptys:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_legacy_ptys_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_legacy_ptys",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable legacy (BSD) PTY support",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_legacy_ptys",
+ "desc": "Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for\nslaves of pseudo terminals, and use only the modern ptys (devpts) interface.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "The legacy scheme has a number of security problems.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable legacy (BSD) PTY support\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_LEGACY_PTYS\",\n \"grep CONFIG_LEGACY_PTYS /boot/config-*\"\n ],\n \"text\": \"Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for\\nslaves of pseudo terminals, and use only the modern ptys (devpts) interface.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"The legacy scheme has a number of security problems.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_legacy_ptys:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_legacy_ptys_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_legacy_ptys\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for\nslaves of pseudo terminals, and use only the modern ptys (devpts) interface.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Check modules for valid signatures upon load.\nNote that this option adds the OpenSSL development packages as a kernel build dependency so\nthat the signing tool can use its crypto library.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_module_sig:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_module_sig_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable module signature verification",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig",
+ "desc": "Check modules for valid signatures upon load.\nNote that this option adds the OpenSSL development packages as a kernel build dependency so\nthat the signing tool can use its crypto library.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "Loaded modules must be signed.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable module signature verification\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_MODULE_SIG\",\n \"grep CONFIG_MODULE_SIG /boot/config-*\"\n ],\n \"text\": \"Check modules for valid signatures upon load.\\nNote that this option adds the OpenSSL development packages as a kernel build dependency so\\nthat the signing tool can use its crypto library.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Loaded modules must be signed.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_module_sig:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_module_sig_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_module_sig\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Check modules for valid signatures upon load.\nNote that this option adds the OpenSSL development packages as a kernel build dependency so\nthat the signing tool can use its crypto library.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Sign all modules during make modules_install. Without this option, modules must be signed\nmanually, using the scripts/sign-file tool.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_all",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_module_sig_all:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_module_sig_all_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_all",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable automatic signing of all modules",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_all",
+ "desc": "Sign all modules during make modules_install. Without this option, modules must be signed\nmanually, using the scripts/sign-file tool.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This ensures the modules are signed during install process.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable automatic signing of all modules\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_MODULE_SIG_ALL\",\n \"grep CONFIG_MODULE_SIG_ALL /boot/config-*\"\n ],\n \"text\": \"Sign all modules during make modules_install. Without this option, modules must be signed\\nmanually, using the scripts/sign-file tool.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This ensures the modules are signed during install process.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_module_sig_all:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_module_sig_all_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_module_sig_all\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Sign all modules during make modules_install. Without this option, modules must be signed\nmanually, using the scripts/sign-file tool.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Reject unsigned modules or signed modules with an unknown key.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_force",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_module_sig_force:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_module_sig_force_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_force",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Require modules to be validly signed",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_force",
+ "desc": "Reject unsigned modules or signed modules with an unknown key.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "Prevent loading modules that are unsigned or signed with an unknown key.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Require modules to be validly signed\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_MODULE_SIG_FORCE\",\n \"grep CONFIG_MODULE_SIG_FORCE /boot/config-*\"\n ],\n \"text\": \"Reject unsigned modules or signed modules with an unknown key.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Prevent loading modules that are unsigned or signed with an unknown key.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_module_sig_force:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_module_sig_force_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_module_sig_force\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Reject unsigned modules or signed modules with an unknown key.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "This configures the kernel to build and sign modules usingas the hash function.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_hash",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_kernel_config_module_sig_hash:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_module_sig_hash:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_module_sig_hash_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_hash",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Hash function for kernel module signing",
+ "lang": "en-US"
+ },
+ "description": "The hash function to use when signing modules during kernel build process.",
+ "value": [
+ "sha512",
+ {
+ "text": "sha1",
+ "selector": "sha1"
+ },
+ {
+ "text": "sha224",
+ "selector": "sha224"
+ },
+ {
+ "text": "sha256",
+ "selector": "sha256"
+ },
+ {
+ "text": "sha384",
+ "selector": "sha384"
+ },
+ {
+ "text": "sha512",
+ "selector": "sha512"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Specify the hash to use when signing modules",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_hash",
+ "desc": "This configures the kernel to build and sign modules usingas the hash function.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"\" should be returned.",
+ "descriptions": [
+ {
+ "data": "Use of strong hash function is important to secure the module against counterfeit signatures.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Specify the hash to use when signing modules\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"sub\": [\n {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash\",\n \"use\": \"legacy\"\n },\n {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash\",\n \"use\": \"legacy\"\n }\n ],\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_MODULE_SIG_HASH\",\n \"grep CONFIG_MODULE_SIG_HASH /boot/config-*\"\n ],\n \"text\": \"This configures the kernel to build and sign modules usingas the hash function.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Use of strong hash function is important to secure the module against counterfeit signatures.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_kernel_config_module_sig_hash:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_module_sig_hash:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_module_sig_hash_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_module_sig_hash\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "This configures the kernel to build and sign modules usingas the hash function.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Setting this option to something other than its default ofwill\ndisable the autogeneration of signing keys and allow the kernel modules to be signed with a key\nof your choosing.\n\nThe string provided should identify a file containing both a private key and\nits corresponding X.509 certificate in PEM form, or — on systems where the OpenSSL ENGINE_pkcs11\nis functional — a PKCS#11 URI as defined by RFC7512. In the latter case, the PKCS#11 URI should\nreference both a certificate and a private key.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_key",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_kernel_config_module_sig_key:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_key\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_module_sig_key:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_module_sig_key_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_key",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Key and certificate for kernel module signing",
+ "lang": "en-US"
+ },
+ "description": "The private key and certificate to use when signing modules during kernel build process.\nOn systems where the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI as defined by RFC7512\nIn the latter case, the PKCS#11 URI should reference both a certificate and a private key.",
+ "value": [
+ "certs/signing_key.pem",
+ {
+ "text": "certs/signing_key.pem",
+ "selector": "kernel_default"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_key",
+ "type": "string",
+ "interactive": "true"
+ }
+ ]
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Specify module signing key to use",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_key",
+ "desc": "Setting this option to something other than its default ofwill\ndisable the autogeneration of signing keys and allow the kernel modules to be signed with a key\nof your choosing.\n\nThe string provided should identify a file containing both a private key and\nits corresponding X.509 certificate in PEM form, or — on systems where the OpenSSL ENGINE_pkcs11\nis functional — a PKCS#11 URI as defined by RFC7512. In the latter case, the PKCS#11 URI should\nreference both a certificate and a private key.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"\" should be returned.",
+ "descriptions": [
+ {
+ "data": "A key and certificate is required to sign the built modules.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Specify module signing key to use\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"certs/signing_key.pem\",\n \"/boot/config-*\",\n \"CONFIG_MODULE_SIG_KEY\",\n \"grep CONFIG_MODULE_SIG_KEY /boot/config-*\"\n ],\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_key\",\n \"use\": \"legacy\"\n },\n \"text\": \"Setting this option to something other than its default ofwill\\ndisable the autogeneration of signing keys and allow the kernel modules to be signed with a key\\nof your choosing.\\n\\nThe string provided should identify a file containing both a private key and\\nits corresponding X.509 certificate in PEM form, or — on systems where the OpenSSL ENGINE_pkcs11\\nis functional — a PKCS#11 URI as defined by RFC7512. In the latter case, the PKCS#11 URI should\\nreference both a certificate and a private key.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"A key and certificate is required to sign the built modules.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_kernel_config_module_sig_key:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_key\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_module_sig_key:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_module_sig_key_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_module_sig_key\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Setting this option to something other than its default ofwill\ndisable the autogeneration of signing keys and allow the kernel modules to be signed with a key\nof your choosing.\n\nThe string provided should identify a file containing both a private key and\nits corresponding X.509 certificate in PEM form, or — on systems where the OpenSSL ENGINE_pkcs11\nis functional — a PKCS#11 URI as defined by RFC7512. In the latter case, the PKCS#11 URI should\nreference both a certificate and a private key.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "This configures the kernel to build and sign modules using SHA512 as the hash function.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_sha512",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_module_sig_sha512:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_module_sig_sha512_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_sha512",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Sign kernel modules with SHA-512",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_module_sig_sha512",
+ "desc": "This configures the kernel to build and sign modules using SHA512 as the hash function.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "Use of strong hash function is important to secure the module against counterfeit signatures.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Sign kernel modules with SHA-512\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_MODULE_SIG_SHA512\",\n \"grep CONFIG_MODULE_SIG_SHA512 /boot/config-*\"\n ],\n \"text\": \"This configures the kernel to build and sign modules using SHA512 as the hash function.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Use of strong hash function is important to secure the module against counterfeit signatures.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_module_sig_sha512:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_module_sig_sha512_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_module_sig_sha512\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "This configures the kernel to build and sign modules using SHA512 as the hash function.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some\nof the overhead of the poisoning feature.\nThis configuration is available from kernel 4.6.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_page_poisoning_no_sanity",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_page_poisoning_no_sanity:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_page_poisoning_no_sanity_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_page_poisoning_no_sanity",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable poison without sanity check",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_page_poisoning_no_sanity",
+ "desc": "Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some\nof the overhead of the poisoning feature.\nThis configuration is available from kernel 4.6.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This configuration helps alleviates the performance impact of poisonining.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable poison without sanity check\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_PAGE_POISONING_NO_SANITY\",\n \"grep CONFIG_PAGE_POISONING_NO_SANITY /boot/config-*\"\n ],\n \"text\": \"Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some\\nof the overhead of the poisoning feature.\\nThis configuration is available from kernel 4.6.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This configuration helps alleviates the performance impact of poisonining.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_page_poisoning_no_sanity:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_page_poisoning_no_sanity_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_page_poisoning_no_sanity\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some\nof the overhead of the poisoning feature.\nThis configuration is available from kernel 4.6.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Instead of using the existing poison value, fill the pages with zeros. This makes it harder to\ndetect when errors are occurring due to sanitization but the zeroing at free means that it is\nno longer necessary to write zeros when GFP_ZERO is used on allocation.\nThis configuration is available from kernel 4.19.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_page_poisoning_zero",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_page_poisoning_zero:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_page_poisoning_zero_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_page_poisoning_zero",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Use zero for poisoning instead of debugging value",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_page_poisoning_zero",
+ "desc": "Instead of using the existing poison value, fill the pages with zeros. This makes it harder to\ndetect when errors are occurring due to sanitization but the zeroing at free means that it is\nno longer necessary to write zeros when GFP_ZERO is used on allocation.\nThis configuration is available from kernel 4.19.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This configuration helps alleviates the performance impact of poisonining.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Use zero for poisoning instead of debugging value\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_PAGE_POISONING_ZERO\",\n \"grep CONFIG_PAGE_POISONING_ZERO /boot/config-*\"\n ],\n \"text\": \"Instead of using the existing poison value, fill the pages with zeros. This makes it harder to\\ndetect when errors are occurring due to sanitization but the zeroing at free means that it is\\nno longer necessary to write zeros when GFP_ZERO is used on allocation.\\nThis configuration is available from kernel 4.19.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This configuration helps alleviates the performance impact of poisonining.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_page_poisoning_zero:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_page_poisoning_zero_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_page_poisoning_zero\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Instead of using the existing poison value, fill the pages with zeros. This makes it harder to\ndetect when errors are occurring due to sanitization but the zeroing at free means that it is\nno longer necessary to write zeros when GFP_ZERO is used on allocation.\nThis configuration is available from kernel 4.19.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "high",
+ "description": "This feature reduces the number of hardware side channels by ensuring that the majority of\nkernel addresses are not mapped into userspace.\nThis configuration is available from kernel 4.15, but may be available if backported\nby distros.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_page_table_isolation",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_page_table_isolation:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_page_table_isolation_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_page_table_isolation",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Remove the kernel mapping in user mode",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_page_table_isolation",
+ "desc": "This feature reduces the number of hardware side channels by ensuring that the majority of\nkernel addresses are not mapped into userspace.\nThis configuration is available from kernel 4.15, but may be available if backported\nby distros.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This is a countermeasure to the Meltdown attack.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Remove the kernel mapping in user mode\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_PAGE_TABLE_ISOLATION\",\n \"grep CONFIG_PAGE_TABLE_ISOLATION /boot/config-*\"\n ],\n \"text\": \"This feature reduces the number of hardware side channels by ensuring that the majority of\\nkernel addresses are not mapped into userspace.\\nThis configuration is available from kernel 4.15, but may be available if backported\\nby distros.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This is a countermeasure to the Meltdown attack.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_page_table_isolation:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_page_table_isolation_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_page_table_isolation\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "This feature reduces the number of hardware side channels by ensuring that the majority of\nkernel addresses are not mapped into userspace.\nThis configuration is available from kernel 4.15, but may be available if backported\nby distros.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Enable the kernel to panic when it oopses.\nThis has the same effect as setting oops=panic on the kernel command line.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_panic_on_oops",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_panic_on_oops:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_panic_on_oops_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_panic_on_oops",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Kernel panic oops",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_panic_on_oops",
+ "desc": "Enable the kernel to panic when it oopses.\nThis has the same effect as setting oops=panic on the kernel command line.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This feature ensures that the kernel does not do anything erroneous after an oops which\ncould result in data corruption or other issues.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Kernel panic oops\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_PANIC_ON_OOPS\",\n \"grep CONFIG_PANIC_ON_OOPS /boot/config-*\"\n ],\n \"text\": \"Enable the kernel to panic when it oopses.\\nThis has the same effect as setting oops=panic on the kernel command line.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This feature ensures that the kernel does not do anything erroneous after an oops which\\ncould result in data corruption or other issues.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_panic_on_oops:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_panic_on_oops_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_panic_on_oops\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Enable the kernel to panic when it oopses.\nThis has the same effect as setting oops=panic on the kernel command line.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Set the timeout value (in seconds) until a reboot occurs when the kernel panics.\nA timeout of 0 configures the system to wait forever. With a timeout value greater than 0,\nthe system will wait the specified amount of seconds before rebooting. While a timeout value\nless than 0 makes the system reboot immediately.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_panic_timeout",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_kernel_config_panic_timeout:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_kernel_config_panic_timeout\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_panic_timeout:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_panic_timeout_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_panic_timeout",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Kernel panic timeout",
+ "lang": "en-US"
+ },
+ "description": "The time, in seconds, to wait until a reboot occurs.\nIf the value isthe system never reboots.\nIf the value is less thanthe system reboots immediately.",
+ "value": [
+ "0",
+ {
+ "text": "0",
+ "selector": "never"
+ },
+ {
+ "text": "300",
+ "selector": "5_minutes"
+ },
+ {
+ "text": "60",
+ "selector": "1_minute"
+ },
+ {
+ "text": "-1",
+ "selector": "immediately"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_kernel_config_panic_timeout",
+ "type": "string",
+ "interactive": "true"
+ }
+ ]
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Kernel panic timeout",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_panic_timeout",
+ "desc": "Set the timeout value (in seconds) until a reboot occurs when the kernel panics.\nA timeout of 0 configures the system to wait forever. With a timeout value greater than 0,\nthe system will wait the specified amount of seconds before rebooting. While a timeout value\nless than 0 makes the system reboot immediately.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This is required to enable protection against Spectre v2.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Kernel panic timeout\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_PANIC_TIMEOUT\",\n \"grep CONFIG_PANIC_TIMEOUT /boot/config-*\"\n ],\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_kernel_config_panic_timeout\",\n \"use\": \"legacy\"\n },\n \"text\": \"Set the timeout value (in seconds) until a reboot occurs when the kernel panics.\\nA timeout of 0 configures the system to wait forever. With a timeout value greater than 0,\\nthe system will wait the specified amount of seconds before rebooting. While a timeout value\\nless than 0 makes the system reboot immediately.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This is required to enable protection against Spectre v2.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_kernel_config_panic_timeout:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_kernel_config_panic_timeout\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_panic_timeout:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_panic_timeout_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_panic_timeout\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Set the timeout value (in seconds) until a reboot occurs when the kernel panics.\nA timeout of 0 configures the system to wait forever. With a timeout value greater than 0,\nthe system will wait the specified amount of seconds before rebooting. While a timeout value\nless than 0 makes the system reboot immediately.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "Provides a virtual ELF core file of the live kernel.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_proc_kcore",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_proc_kcore:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_proc_kcore_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_proc_kcore",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable support for /proc/kkcore",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_proc_kcore",
+ "desc": "Provides a virtual ELF core file of the live kernel.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "This feature exposes the memory to the userspace and can assist an attacker in discovering\nattack vectors.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Disable support for /proc/kkcore\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_PROC_KCORE\",\n \"grep CONFIG_PROC_KCORE /boot/config-*\"\n ],\n \"text\": \"Provides a virtual ELF core file of the live kernel.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This feature exposes the memory to the userspace and can assist an attacker in discovering\\nattack vectors.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_proc_kcore:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_proc_kcore_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_proc_kcore\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Provides a virtual ELF core file of the live kernel.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical\naddress at which the kernel image is decompressed and the virtual address where the kernel\nimage is mapped.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_randomize_base",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_randomize_base:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_randomize_base_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_randomize_base",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Randomize the address of the kernel image (KASLR)",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_randomize_base",
+ "desc": "In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical\naddress at which the kernel image is decompressed and the virtual address where the kernel\nimage is mapped.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "An unpredictable kernel address makes it more difficult to succeed with exploits that rely on\nknowledge of the location of kernel code internals.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Randomize the address of the kernel image (KASLR)\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_RANDOMIZE_BASE\",\n \"grep CONFIG_RANDOMIZE_BASE /boot/config-*\"\n ],\n \"text\": \"In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical\\naddress at which the kernel image is decompressed and the virtual address where the kernel\\nimage is mapped.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"An unpredictable kernel address makes it more difficult to succeed with exploits that rely on\\nknowledge of the location of kernel code internals.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_randomize_base:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_randomize_base_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_randomize_base\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical\naddress at which the kernel image is decompressed and the virtual address where the kernel\nimage is mapped.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Randomizes the base virtual address of kernel memory sections (physical memory mapping,\nvmalloc & vmemmap).\nThis configuration is available from kernel 4.8, but may be available if backported\nby distros.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_randomize_memory",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_randomize_memory:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_randomize_memory_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_randomize_memory",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Randomize the kernel memory sections",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_randomize_memory",
+ "desc": "Randomizes the base virtual address of kernel memory sections (physical memory mapping,\nvmalloc & vmemmap).\nThis configuration is available from kernel 4.8, but may be available if backported\nby distros.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This security feature makes exploits relying on predictable memory locations less reliable.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Randomize the kernel memory sections\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_RANDOMIZE_MEMORY\",\n \"grep CONFIG_RANDOMIZE_MEMORY /boot/config-*\"\n ],\n \"text\": \"Randomizes the base virtual address of kernel memory sections (physical memory mapping,\\nvmalloc & vmemmap).\\nThis configuration is available from kernel 4.8, but may be available if backported\\nby distros.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This security feature makes exploits relying on predictable memory locations less reliable.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_randomize_memory:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_randomize_memory_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_randomize_memory\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Randomizes the base virtual address of kernel memory sections (physical memory mapping,\nvmalloc & vmemmap).\nThis configuration is available from kernel 4.8, but may be available if backported\nby distros.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks\nby avoiding speculative indirect branches.\nRequires a compiler with -mindirect-branch=thunk-extern support for full protection.\nThe kernel may run slower.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_retpoline",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_retpoline:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_retpoline_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_retpoline",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Avoid speculative indirect branches in kernel",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_retpoline",
+ "desc": "Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks\nby avoiding speculative indirect branches.\nRequires a compiler with -mindirect-branch=thunk-extern support for full protection.\nThe kernel may run slower.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This is required to enable protection against Spectre v2.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Avoid speculative indirect branches in kernel\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_RETPOLINE\",\n \"grep CONFIG_RETPOLINE /boot/config-*\"\n ],\n \"text\": \"Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks\\nby avoiding speculative indirect branches.\\nRequires a compiler with -mindirect-branch=thunk-extern support for full protection.\\nThe kernel may run slower.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This is required to enable protection against Spectre v2.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_retpoline:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_retpoline_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_retpoline\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks\nby avoiding speculative indirect branches.\nRequires a compiler with -mindirect-branch=thunk-extern support for full protection.\nThe kernel may run slower.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "This kernel feature is useful for number crunching applications that may need to compute\nuntrusted bytecode during their execution. By using pipes or other transports made available\nto the process as file descriptors supporting the read/write syscalls, it's possible to isolate\nthose applications in their own address space using seccomp.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_seccomp",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_seccomp:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_seccomp_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_seccomp",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable seccomp to safely compute untrusted bytecode",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_seccomp",
+ "desc": "This kernel feature is useful for number crunching applications that may need to compute\nuntrusted bytecode during their execution. By using pipes or other transports made available\nto the process as file descriptors supporting the read/write syscalls, it's possible to isolate\nthose applications in their own address space using seccomp.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "enables the ability to filter system calls made by an application, effectively\nisolating the system's resources from it.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable seccomp to safely compute untrusted bytecode\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_SECCOMP\",\n \"grep CONFIG_SECCOMP /boot/config-*\"\n ],\n \"text\": \"This kernel feature is useful for number crunching applications that may need to compute\\nuntrusted bytecode during their execution. By using pipes or other transports made available\\nto the process as file descriptors supporting the read/write syscalls, it's possible to isolate\\nthose applications in their own address space using seccomp.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"code\": \"seccomp\",\n \"text\": \"enables the ability to filter system calls made by an application, effectively\\nisolating the system's resources from it.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_seccomp:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_seccomp_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_seccomp\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "This kernel feature is useful for number crunching applications that may need to compute\nuntrusted bytecode during their execution. By using pipes or other transports made available\nto the process as file descriptors supporting the read/write syscalls, it's possible to isolate\nthose applications in their own address space using seccomp.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter\nprograms which implement task-defined system call filtering polices.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_seccomp_filter",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_seccomp_filter:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_seccomp_filter_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_seccomp_filter",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable use of Berkeley Packet Filter with seccomp",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_seccomp_filter",
+ "desc": "Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter\nprograms which implement task-defined system call filtering polices.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "Use of BPF filters allows for expressive filtering of system calls using a filter program\nlanguage with a long history of being exposed to userland.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable use of Berkeley Packet Filter with seccomp\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_SECCOMP_FILTER\",\n \"grep CONFIG_SECCOMP_FILTER /boot/config-*\"\n ],\n \"text\": \"Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter\\nprograms which implement task-defined system call filtering polices.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Use of BPF filters allows for expressive filtering of system calls using a filter program\\nlanguage with a long history of being exposed to userland.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_seccomp_filter:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_seccomp_filter_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_seccomp_filter\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter\nprograms which implement task-defined system call filtering polices.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "This allows you to choose different security modules to be configured into your kernel.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_security",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_security:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_security_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_security",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable different security models",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_security",
+ "desc": "This allows you to choose different security modules to be configured into your kernel.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This is enables kernel security primitives required by the LSM framework.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable different security models\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_SECURITY\",\n \"grep CONFIG_SECURITY /boot/config-*\"\n ],\n \"text\": \"This allows you to choose different security modules to be configured into your kernel.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This is enables kernel security primitives required by the LSM framework.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_security:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_security_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_security\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "This allows you to choose different security modules to be configured into your kernel.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8).\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_security_dmesg_restrict",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_security_dmesg_restrict:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_security_dmesg_restrict_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_security_dmesg_restrict",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Restrict unprivileged access to the kernel syslog",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_security_dmesg_restrict",
+ "desc": "Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8).\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "Prevents unprivileged users from retrieving kernel addresses with dmesg.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Restrict unprivileged access to the kernel syslog\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_SECURITY_DMESG_RESTRICT\",\n \"grep CONFIG_SECURITY_DMESG_RESTRICT /boot/config-*\"\n ],\n \"text\": \"Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8).\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Prevents unprivileged users from retrieving kernel addresses with dmesg.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_security_dmesg_restrict:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_security_dmesg_restrict_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_security_dmesg_restrict\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8).\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Ensure kernel structures associated with LSMs are always mapped as read-only after system boot.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_security_writable_hooks",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_security_writable_hooks:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_security_writable_hooks_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_security_writable_hooks",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable mutable hooks",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_security_writable_hooks",
+ "desc": "Ensure kernel structures associated with LSMs are always mapped as read-only after system boot.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "If CONFIG_SECURITY_WRITABLE_HOOKS is enabled, then hooks can be loaded at runtime and\nbeing able to manipulate hooks is a way to bypass all LSMs.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable mutable hooks\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_SECURITY_WRITABLE_HOOKS\",\n \"grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config-*\"\n ],\n \"text\": \"Ensure kernel structures associated with LSMs are always mapped as read-only after system boot.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"If CONFIG_SECURITY_WRITABLE_HOOKS is enabled, then hooks can be loaded at runtime and\\nbeing able to manipulate hooks is a way to bypass all LSMs.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_security_writable_hooks:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_security_writable_hooks_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_security_writable_hooks\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Ensure kernel structures associated with LSMs are always mapped as read-only after system boot.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "This enables support for LSM module Yama, which extends DAC support with additional system-wide\nsecurity settings beyond regular Linux discretionary access controls. The module will limit the\nuse of the system call.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_security_yama",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_security_yama:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_security_yama_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_security_yama",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable Yama support",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_security_yama",
+ "desc": "This enables support for LSM module Yama, which extends DAC support with additional system-wide\nsecurity settings beyond regular Linux discretionary access controls. The module will limit the\nuse of the system call.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "Unrestricted usage of ptrace allows compromised binaries to run ptrace\non another processes of the user.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable Yama support\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"ptrace()\",\n \"/boot/config-*\",\n \"CONFIG_SECURITY_YAMA\",\n \"grep CONFIG_SECURITY_YAMA /boot/config-*\"\n ],\n \"text\": \"This enables support for LSM module Yama, which extends DAC support with additional system-wide\\nsecurity settings beyond regular Linux discretionary access controls. The module will limit the\\nuse of the system call.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Unrestricted usage of ptrace allows compromised binaries to run ptrace\\non another processes of the user.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_security_yama:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_security_yama_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_security_yama\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "This enables support for LSM module Yama, which extends DAC support with additional system-wide\nsecurity settings beyond regular Linux discretionary access controls. The module will limit the\nuse of the system call.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "SLUB has extensive debug support features and this allows the allocator validation checking to\nbe enabled.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_slub_debug",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_slub_debug:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_slub_debug_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_slub_debug",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable SLUB debugging support",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_slub_debug",
+ "desc": "SLUB has extensive debug support features and this allows the allocator validation checking to\nbe enabled.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This activates the checking of the memory allocator structures and resets to zero the zones\nallocated when they are released.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable SLUB debugging support\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_SLUB_DEBUG\",\n \"grep CONFIG_SLUB_DEBUG /boot/config-*\"\n ],\n \"text\": \"SLUB has extensive debug support features and this allows the allocator validation checking to\\nbe enabled.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This activates the checking of the memory allocator structures and resets to zero the zones\\nallocated when they are released.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_slub_debug:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_slub_debug_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_slub_debug\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "SLUB has extensive debug support features and this allows the allocator validation checking to\nbe enabled.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Normal TCP/IP networking is open to an attack known as SYN flooding.\nIt is denial-of-service attack that prevents legitimate remote users from being able to connect\nto your computer during an ongoing attack.\n\nWhen enabled the TCP/IP stack will use a cryptographic challenge protocol known as SYN cookies\nto enable legitimate users to continue to connect, even when your machine is under attack.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_syn_cookies",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_syn_cookies:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_syn_cookies_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_syn_cookies",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable TCP/IP syncookie support",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_syn_cookies",
+ "desc": "Normal TCP/IP networking is open to an attack known as SYN flooding.\nIt is denial-of-service attack that prevents legitimate remote users from being able to connect\nto your computer during an ongoing attack.\n\nWhen enabled the TCP/IP stack will use a cryptographic challenge protocol known as SYN cookies\nto enable legitimate users to continue to connect, even when your machine is under attack.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "SYN cookies provide protection against SYN flooding attacks.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable TCP/IP syncookie support\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_SYN_COOKIES\",\n \"grep CONFIG_SYN_COOKIES /boot/config-*\"\n ],\n \"text\": \"Normal TCP/IP networking is open to an attack known as SYN flooding.\\nIt is denial-of-service attack that prevents legitimate remote users from being able to connect\\nto your computer during an ongoing attack.\\n\\nWhen enabled the TCP/IP stack will use a cryptographic challenge protocol known as SYN cookies\\nto enable legitimate users to continue to connect, even when your machine is under attack.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"SYN cookies provide protection against SYN flooding attacks.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_syn_cookies:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_syn_cookies_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_syn_cookies\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Normal TCP/IP networking is open to an attack known as SYN flooding.\nIt is denial-of-service attack that prevents legitimate remote users from being able to connect\nto your computer during an ongoing attack.\n\nWhen enabled the TCP/IP stack will use a cryptographic challenge protocol known as SYN cookies\nto enable legitimate users to continue to connect, even when your machine is under attack.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Speculation attacks against some high-performance processors can be used to bypass MMU\npermission checks and leak kernel data to userspace. This can be defended against by unmapping\nthe kernel when running in userspace, mapping it back in on exception entry via a trampoline\npage in the vector table.\nThis configuration is available from kernel 4.16, but may be available if backported\nby distros.\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_unmap_kernel_at_el0",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_unmap_kernel_at_el0:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_unmap_kernel_at_el0_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_unmap_kernel_at_el0",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Unmap kernel when running in userspace (aka KAISER)",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_unmap_kernel_at_el0",
+ "desc": "Speculation attacks against some high-performance processors can be used to bypass MMU\npermission checks and leak kernel data to userspace. This can be defended against by unmapping\nthe kernel when running in userspace, mapping it back in on exception entry via a trampoline\npage in the vector table.\nThis configuration is available from kernel 4.16, but may be available if backported\nby distros.\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "descriptions": [
+ {
+ "data": "This is a countermeasure to the Meltdown attack.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Unmap kernel when running in userspace (aka KAISER)\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_UNMAP_KERNEL_AT_EL0\",\n \"grep CONFIG_UNMAP_KERNEL_AT_EL0 /boot/config-*\"\n ],\n \"text\": \"Speculation attacks against some high-performance processors can be used to bypass MMU\\npermission checks and leak kernel data to userspace. This can be defended against by unmapping\\nthe kernel when running in userspace, mapping it back in on exception entry via a trampoline\\npage in the vector table.\\nThis configuration is available from kernel 4.16, but may be available if backported\\nby distros.\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:For each kernel installed, a line with value \\\"y\\\" should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"This is a countermeasure to the Meltdown attack.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#aarch64_arch\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_unmap_kernel_at_el0:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_unmap_kernel_at_el0_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_unmap_kernel_at_el0\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Speculation attacks against some high-performance processors can be used to bypass MMU\npermission checks and leak kernel data to userspace. This can be defended against by unmapping\nthe kernel when running in userspace, mapping it back in on exception entry via a trampoline\npage in the vector table.\nThis configuration is available from kernel 4.16, but may be available if backported\nby distros.\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:For each kernel installed, a line with value \"y\" should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "Disabling it is roughly equivalent to booting with vsyscall=none, except that it will also\ndisable the helpful warning if a program tries to use a vsyscall. With this option set to N,\noffending programs will just segfault, citing addresses of the form 0xffffffffff600?00.\nThis configuration is available from kernel 3.19.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "group_id": "xccdf_org.ssgproject.content_group_kernel_build_config",
+ "group_title": "Kernel Configuration",
+ "group_description": "Contains rules that check the kernel configuration that was used to build it.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_config_x86_vsyscall_emulation",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_x86_vsyscall_emulation:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_x86_vsyscall_emulation_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_config_x86_vsyscall_emulation",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable x86 vsyscall emulation",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_config_x86_vsyscall_emulation",
+ "desc": "Disabling it is roughly equivalent to booting with vsyscall=none, except that it will also\ndisable the helpful warning if a program tries to use a vsyscall. With this option set to N,\noffending programs will just segfault, citing addresses of the form 0xffffffffff600?00.\nThis configuration is available from kernel 3.19.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "descriptions": [
+ {
+ "data": "The vsyscall table is no longer required and is a potential source of ROP gadgets.",
+ "label": "rationale"
+ },
+ {
+ "data": "There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Disable x86 vsyscall emulation\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/boot/config-*\",\n \"CONFIG_X86_VSYSCALL_EMULATION\",\n \"grep CONFIG_X86_VSYSCALL_EMULATION /boot/config-*\"\n ],\n \"text\": \"Disabling it is roughly equivalent to booting with vsyscall=none, except that it will also\\ndisable the helpful warning if a program tries to use a vsyscall. With this option set to N,\\noffending programs will just segfault, citing addresses of the form 0xffffffffff600?00.\\nThis configuration is available from kernel 3.19.\\n\\nThe configuration that was used to build kernel is available at.\\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\\n lines should be returned.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"The vsyscall table is no longer required and is a potential source of ROP gadgets.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_config_x86_vsyscall_emulation:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_config_x86_vsyscall_emulation_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_config_x86_vsyscall_emulation\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Disabling it is roughly equivalent to booting with vsyscall=none, except that it will also\ndisable the helpful warning if a program tries to use a vsyscall. With this option set to N,\noffending programs will just segfault, citing addresses of the form 0xffffffffff600?00.\nThis configuration is available from kernel 3.19.\n\nThe configuration that was used to build kernel is available at.\n To check the configuration value for, run the following command:Configs with value 'n' are not explicitly set in the file, so either commented lines or no\n lines should be returned.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001851"
+ ],
+ "nist": [
+ "AU-4 (1)"
+ ],
+ "severity": "medium",
+ "description": "Rsyslogd is a system utility providing support for message logging. Support\nfor both internet and UNIX domain sockets enables this utility to support both local\nand remote logging. Couple this utility with(which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\nencrypt and off-load auditing.\n\nWhen usingto off-load logs the remote system must be authenticated.",
+ "group_id": "xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration",
+ "group_title": "Ensure Proper Configuration of Log Files",
+ "group_description": "The filecontrols where log message are written.\nThese are controlled by lines called, which consist of aand an.\nThese rules are often customized depending on the role of the system, the\nrequirements of the environment, and whatever may enable\nthe administrator to most effectively make use of log data.\nThe default rules in Ubuntu 18.04 are:See the man pagefor more information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001851",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AU-4(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000342-GPOS-00133",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000479-GPOS-00224",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001851",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AU-4(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000342-GPOS-00133",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000479-GPOS-00224",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Rsyslog Authenticates Off-Loaded Audit Records",
+ "id": "xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode",
+ "desc": "Rsyslogd is a system utility providing support for message logging. Support\nfor both internet and UNIX domain sockets enables this utility to support both local\nand remote logging. Couple this utility with(which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\nencrypt and off-load auditing.\n\nWhen usingto off-load logs the remote system must be authenticated.",
+ "descriptions": [
+ {
+ "data": "The audit records generated by Rsyslog contain valuable information regarding system\nconfiguration, user authentication, and other such information. Audit records should be\nprotected from unauthorized access.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Rsyslog Authenticates Off-Loaded Audit Records\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"gnutls\",\n \"rsyslogd\"\n ],\n \"text\": \"Rsyslogd is a system utility providing support for message logging. Support\\nfor both internet and UNIX domain sockets enables this utility to support both local\\nand remote logging. Couple this utility with(which is a secure communications\\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\\nencrypt and off-load auditing.\\n\\nWhen usingto off-load logs the remote system must be authenticated.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001851\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AU-4(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000342-GPOS-00133\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000479-GPOS-00224\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"The audit records generated by Rsyslog contain valuable information regarding system\\nconfiguration, user authentication, and other such information. Audit records should be\\nprotected from unauthorized access.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Rsyslogd is a system utility providing support for message logging. Support\nfor both internet and UNIX domain sockets enables this utility to support both local\nand remote logging. Couple this utility with(which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\nencrypt and off-load auditing.\n\nWhen usingto off-load logs the remote system must be authenticated.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001851"
+ ],
+ "nist": [
+ "AU-4 (1)"
+ ],
+ "severity": "medium",
+ "description": "Rsyslogd is a system utility providing support for message logging. Support\nfor both internet and UNIX domain sockets enables this utility to support both local\nand remote logging. Couple this utility with(which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\nencrypt and off-load auditing.\n\nWhen usingto off-load logs off a encrpytion system must be used.",
+ "group_id": "xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration",
+ "group_title": "Ensure Proper Configuration of Log Files",
+ "group_description": "The filecontrols where log message are written.\nThese are controlled by lines called, which consist of aand an.\nThese rules are often customized depending on the role of the system, the\nrequirements of the environment, and whatever may enable\nthe administrator to most effectively make use of log data.\nThe default rules in Ubuntu 18.04 are:See the man pagefor more information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001851",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AU-4(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000342-GPOS-00133",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000479-GPOS-00224",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001851",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AU-4(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000342-GPOS-00133",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000479-GPOS-00224",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Rsyslog Encrypts Off-Loaded Audit Records",
+ "id": "xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode",
+ "desc": "Rsyslogd is a system utility providing support for message logging. Support\nfor both internet and UNIX domain sockets enables this utility to support both local\nand remote logging. Couple this utility with(which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\nencrypt and off-load auditing.\n\nWhen usingto off-load logs off a encrpytion system must be used.",
+ "descriptions": [
+ {
+ "data": "The audit records generated by Rsyslog contain valuable information regarding system\nconfiguration, user authentication, and other such information. Audit records should be\nprotected from unauthorized access.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Rsyslog Encrypts Off-Loaded Audit Records\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"gnutls\",\n \"rsyslogd\"\n ],\n \"text\": \"Rsyslogd is a system utility providing support for message logging. Support\\nfor both internet and UNIX domain sockets enables this utility to support both local\\nand remote logging. Couple this utility with(which is a secure communications\\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\\nencrypt and off-load auditing.\\n\\nWhen usingto off-load logs off a encrpytion system must be used.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001851\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AU-4(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000342-GPOS-00133\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000479-GPOS-00224\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"The audit records generated by Rsyslog contain valuable information regarding system\\nconfiguration, user authentication, and other such information. Audit records should be\\nprotected from unauthorized access.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/rsyslog.d/encrypt.conf\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*\\\\$ActionSendStreamDriverMode /Id\\\" \\\"/etc/rsyslog.d/encrypt.conf\\\"\\nelse\\n touch \\\"/etc/rsyslog.d/encrypt.conf\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/rsyslog.d/encrypt.conf\\\"\\n\\ncp \\\"/etc/rsyslog.d/encrypt.conf\\\" \\\"/etc/rsyslog.d/encrypt.conf.bak\\\"\\n# Insert at the end of the file\\nprintf '%s\\\\n' \\\"\\\\$ActionSendStreamDriverMode 1\\\" >> \\\"/etc/rsyslog.d/encrypt.conf\\\"\\n# Clean up after ourselves.\\nrm \\\"/etc/rsyslog.d/encrypt.conf.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"rsyslog_encrypt_offload_actionsendstreamdrivermode\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Ensure Rsyslog Encrypts Off-Loaded Audit Records\\n block:\\n\\n - name: Deduplicate values from /etc/rsyslog.conf\\n lineinfile:\\n path: /etc/rsyslog.conf\\n create: false\\n regexp: '^\\\\s*{{ \\\"$ActionSendStreamDriverMode\\\"| regex_escape }} '\\n state: absent\\n\\n - name: Check if /etc/rsyslog.d exists\\n stat:\\n path: /etc/rsyslog.d\\n register: _etc_rsyslog_d_exists\\n\\n - name: Check if the parameter $ActionSendStreamDriverMode is present in /etc/rsyslog.d\\n find:\\n paths: /etc/rsyslog.d\\n recurse: 'yes'\\n follow: 'no'\\n contains: '^\\\\s*{{ \\\"$ActionSendStreamDriverMode\\\"| regex_escape }} '\\n register: _etc_rsyslog_d_has_parameter\\n when: _etc_rsyslog_d_exists.stat.isdir is defined and _etc_rsyslog_d_exists.stat.isdir\\n\\n - name: Remove parameter from files in /etc/rsyslog.d\\n lineinfile:\\n path: '{{ item.path }}'\\n create: false\\n regexp: '^\\\\s*{{ \\\"$ActionSendStreamDriverMode\\\"| regex_escape }} '\\n state: absent\\n with_items: '{{ _etc_rsyslog_d_has_parameter.files }}'\\n when: _etc_rsyslog_d_has_parameter.matched\\n\\n - name: Insert correct line to /etc/rsyslog.conf\\n lineinfile:\\n path: /etc/rsyslog.conf\\n create: true\\n regexp: '^\\\\s*{{ \\\"$ActionSendStreamDriverMode\\\"| regex_escape }} '\\n line: $ActionSendStreamDriverMode 1\\n state: present\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AU-4(1)\\n - configure_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - rsyslog_encrypt_offload_actionsendstreamdrivermode\",\n \"id\": \"rsyslog_encrypt_offload_actionsendstreamdrivermode\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Rsyslogd is a system utility providing support for message logging. Support\nfor both internet and UNIX domain sockets enables this utility to support both local\nand remote logging. Couple this utility with(which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\nencrypt and off-load auditing.\n\nWhen usingto off-load logs off a encrpytion system must be used.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001851"
+ ],
+ "nist": [
+ "AU-4 (1)"
+ ],
+ "severity": "medium",
+ "description": "Rsyslogd is a system utility providing support for message logging. Support\nfor both internet and UNIX domain sockets enables this utility to support both local\nand remote logging. Couple this utility with(which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\nencrypt and off-load auditing.\n\nWhen usingto off-load logs off an encryption system must be used.",
+ "group_id": "xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration",
+ "group_title": "Ensure Proper Configuration of Log Files",
+ "group_description": "The filecontrols where log message are written.\nThese are controlled by lines called, which consist of aand an.\nThese rules are often customized depending on the role of the system, the\nrequirements of the environment, and whatever may enable\nthe administrator to most effectively make use of log data.\nThe default rules in Ubuntu 18.04 are:See the man pagefor more information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001851",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AU-4(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000342-GPOS-00133",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000479-GPOS-00224",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001851",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AU-4(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000342-GPOS-00133",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000479-GPOS-00224",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Rsyslog Encrypts Off-Loaded Audit Records",
+ "id": "xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver",
+ "desc": "Rsyslogd is a system utility providing support for message logging. Support\nfor both internet and UNIX domain sockets enables this utility to support both local\nand remote logging. Couple this utility with(which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\nencrypt and off-load auditing.\n\nWhen usingto off-load logs off an encryption system must be used.",
+ "descriptions": [
+ {
+ "data": "The audit records generated by Rsyslog contain valuable information regarding system\nconfiguration, user authentication, and other such information. Audit records should be\nprotected from unauthorized access.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Rsyslog Encrypts Off-Loaded Audit Records\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"gnutls\",\n \"rsyslogd\"\n ],\n \"text\": \"Rsyslogd is a system utility providing support for message logging. Support\\nfor both internet and UNIX domain sockets enables this utility to support both local\\nand remote logging. Couple this utility with(which is a secure communications\\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\\nencrypt and off-load auditing.\\n\\nWhen usingto off-load logs off an encryption system must be used.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001851\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AU-4(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000342-GPOS-00133\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000479-GPOS-00224\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"The audit records generated by Rsyslog contain valuable information regarding system\\nconfiguration, user authentication, and other such information. Audit records should be\\nprotected from unauthorized access.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/rsyslog.d/encrypt.conf\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*\\\\$DefaultNetstreamDriver /Id\\\" \\\"/etc/rsyslog.d/encrypt.conf\\\"\\nelse\\n touch \\\"/etc/rsyslog.d/encrypt.conf\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/rsyslog.d/encrypt.conf\\\"\\n\\ncp \\\"/etc/rsyslog.d/encrypt.conf\\\" \\\"/etc/rsyslog.d/encrypt.conf.bak\\\"\\n# Insert at the end of the file\\nprintf '%s\\\\n' \\\"\\\\$DefaultNetstreamDriver gtls\\\" >> \\\"/etc/rsyslog.d/encrypt.conf\\\"\\n# Clean up after ourselves.\\nrm \\\"/etc/rsyslog.d/encrypt.conf.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"rsyslog_encrypt_offload_defaultnetstreamdriver\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Ensure Rsyslog Encrypts Off-Loaded Audit Records\\n block:\\n\\n - name: Deduplicate values from /etc/rsyslog.conf\\n lineinfile:\\n path: /etc/rsyslog.conf\\n create: false\\n regexp: '^\\\\s*{{ \\\"$DefaultNetstreamDriver\\\"| regex_escape }} '\\n state: absent\\n\\n - name: Check if /etc/rsyslog.d exists\\n stat:\\n path: /etc/rsyslog.d\\n register: _etc_rsyslog_d_exists\\n\\n - name: Check if the parameter $DefaultNetstreamDriver is present in /etc/rsyslog.d\\n find:\\n paths: /etc/rsyslog.d\\n recurse: 'yes'\\n follow: 'no'\\n contains: '^\\\\s*{{ \\\"$DefaultNetstreamDriver\\\"| regex_escape }} '\\n register: _etc_rsyslog_d_has_parameter\\n when: _etc_rsyslog_d_exists.stat.isdir is defined and _etc_rsyslog_d_exists.stat.isdir\\n\\n - name: Remove parameter from files in /etc/rsyslog.d\\n lineinfile:\\n path: '{{ item.path }}'\\n create: false\\n regexp: '^\\\\s*{{ \\\"$DefaultNetstreamDriver\\\"| regex_escape }} '\\n state: absent\\n with_items: '{{ _etc_rsyslog_d_has_parameter.files }}'\\n when: _etc_rsyslog_d_has_parameter.matched\\n\\n - name: Insert correct line to /etc/rsyslog.conf\\n lineinfile:\\n path: /etc/rsyslog.conf\\n create: true\\n regexp: '^\\\\s*{{ \\\"$DefaultNetstreamDriver\\\"| regex_escape }} '\\n line: $DefaultNetstreamDriver gtls\\n state: present\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AU-4(1)\\n - configure_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - rsyslog_encrypt_offload_defaultnetstreamdriver\",\n \"id\": \"rsyslog_encrypt_offload_defaultnetstreamdriver\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Rsyslogd is a system utility providing support for message logging. Support\nfor both internet and UNIX domain sockets enables this utility to support both local\nand remote logging. Couple this utility with(which is a secure communications\nlibrary implementing the SSL, TLS and DTLS protocols), and you have a method to securely\nencrypt and off-load auditing.\n\nWhen usingto off-load logs off an encryption system must be used.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001314"
+ ],
+ "nist": [
+ "SI-11 b",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "The group-owner of all log files written byshould be.\nThese log files are determined by the second part of each Rule line inand typically all appear in.\nFor each log filereferenced in,\nrun the following command to inspect the file's group owner:If the owner is not, run the following command to\ncorrect this:",
+ "group_id": "xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration",
+ "group_title": "Ensure Proper Configuration of Log Files",
+ "group_description": "The filecontrols where log message are written.\nThese are controlled by lines called, which consist of aand an.\nThese rules are often customized depending on the role of the system, the\nrequirements of the environment, and whatever may enable\nthe administrator to most effectively make use of log data.\nThe default rules in Ubuntu 18.04 are:See the man pagefor more information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_files_groupownership:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R46)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "BP28(R5)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0988",
+ "href": ""
+ },
+ {
+ "text": "1405",
+ "href": ""
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.5.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "Req-10.5.2",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R46)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "BP28(R5)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0988"
+ },
+ {
+ "ref": "1405"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.5.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "Req-10.5.2",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Log Files Are Owned By Appropriate Group",
+ "id": "xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership",
+ "desc": "The group-owner of all log files written byshould be.\nThese log files are determined by the second part of each Rule line inand typically all appear in.\nFor each log filereferenced in,\nrun the following command to inspect the file's group owner:If the owner is not, run the following command to\ncorrect this:",
+ "descriptions": [
+ {
+ "data": "The log files generated by rsyslog contain valuable information regarding system\nconfiguration, user authentication, and other such information. Log files should be\nprotected from unauthorized access.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Log Files Are Owned By Appropriate Group\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"rsyslog\",\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value\",\n \"use\": \"legacy\"\n }\n },\n \"/etc/rsyslog.conf\",\n \"/var/log\",\n \"/etc/rsyslog.conf\",\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value\",\n \"use\": \"legacy\"\n }\n }\n ],\n \"i\": \"LOGFILE\",\n \"pre\": [\n {\n \"i\": \"LOGFILE\",\n \"text\": \"$ ls -l\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value\",\n \"use\": \"legacy\"\n },\n \"i\": \"LOGFILE\",\n \"text\": \"$ sudo chgrp\"\n }\n ],\n \"text\": \"The group-owner of all log files written byshould be.\\nThese log files are determined by the second part of each Rule line inand typically all appear in.\\nFor each log filereferenced in,\\nrun the following command to inspect the file's group owner:If the owner is not, run the following command to\\ncorrect this:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R46)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"BP28(R5)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0988\",\n \"href\": \"\"\n },\n {\n \"text\": \"1405\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.5.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"Req-10.5.2\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"The log files generated by rsyslog contain valuable information regarding system\\nconfiguration, user authentication, and other such information. Log files should be\\nprotected from unauthorized access.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_files_groupownership:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The group-owner of all log files written byshould be.\nThese log files are determined by the second part of each Rule line inand typically all appear in.\nFor each log filereferenced in,\nrun the following command to inspect the file's group owner:If the owner is not, run the following command to\ncorrect this:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001314"
+ ],
+ "nist": [
+ "SI-11 b",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "The owner of all log files written byshould be.\nThese log files are determined by the second part of each Rule line inand typically all appear in.\nFor each log filereferenced in,\nrun the following command to inspect the file's owner:If the owner is not, run the following command to\ncorrect this:",
+ "group_id": "xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration",
+ "group_title": "Ensure Proper Configuration of Log Files",
+ "group_description": "The filecontrols where log message are written.\nThese are controlled by lines called, which consist of aand an.\nThese rules are often customized depending on the role of the system, the\nrequirements of the environment, and whatever may enable\nthe administrator to most effectively make use of log data.\nThe default rules in Ubuntu 18.04 are:See the man pagefor more information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_rsyslog_files_ownership",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_files_ownership:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R46)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "BP28(R5)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0988",
+ "href": ""
+ },
+ {
+ "text": "1405",
+ "href": ""
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.5.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "Req-10.5.2",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_rsyslog_files_ownership",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R46)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "BP28(R5)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0988"
+ },
+ {
+ "ref": "1405"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.5.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "Req-10.5.2",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Log Files Are Owned By Appropriate User",
+ "id": "xccdf_org.ssgproject.content_rule_rsyslog_files_ownership",
+ "desc": "The owner of all log files written byshould be.\nThese log files are determined by the second part of each Rule line inand typically all appear in.\nFor each log filereferenced in,\nrun the following command to inspect the file's owner:If the owner is not, run the following command to\ncorrect this:",
+ "descriptions": [
+ {
+ "data": "The log files generated by rsyslog contain valuable information regarding system\nconfiguration, user authentication, and other such information. Log files should be\nprotected from unauthorized access.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Log Files Are Owned By Appropriate User\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"rsyslog\",\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_file_owner_logfiles_value\",\n \"use\": \"legacy\"\n }\n },\n \"/etc/rsyslog.conf\",\n \"/var/log\",\n \"/etc/rsyslog.conf\",\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_file_owner_logfiles_value\",\n \"use\": \"legacy\"\n }\n }\n ],\n \"i\": \"LOGFILE\",\n \"pre\": [\n {\n \"i\": \"LOGFILE\",\n \"text\": \"$ ls -l\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_file_owner_logfiles_value\",\n \"use\": \"legacy\"\n },\n \"i\": \"LOGFILE\",\n \"text\": \"$ sudo chown\"\n }\n ],\n \"text\": \"The owner of all log files written byshould be.\\nThese log files are determined by the second part of each Rule line inand typically all appear in.\\nFor each log filereferenced in,\\nrun the following command to inspect the file's owner:If the owner is not, run the following command to\\ncorrect this:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R46)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"BP28(R5)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0988\",\n \"href\": \"\"\n },\n {\n \"text\": \"1405\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.5.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"Req-10.5.2\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"The log files generated by rsyslog contain valuable information regarding system\\nconfiguration, user authentication, and other such information. Log files should be\\nprotected from unauthorized access.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_files_ownership:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_rsyslog_files_ownership\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The owner of all log files written byshould be.\nThese log files are determined by the second part of each Rule line inand typically all appear in.\nFor each log filereferenced in,\nrun the following command to inspect the file's owner:If the owner is not, run the following command to\ncorrect this:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001314"
+ ],
+ "nist": [
+ "SI-11 b",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "The file permissions for all log files written byshould\nbe set to 600, or more restrictive. These log files are determined by the\nsecond part of each Rule line inand typically\nall appear in. For each log filereferenced in, run the following command to\ninspect the file's permissions:If the permissions are not 600 or more restrictive, run the following\ncommand to correct this:\"",
+ "group_id": "xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration",
+ "group_title": "Ensure Proper Configuration of Log Files",
+ "group_description": "The filecontrols where log message are written.\nThese are controlled by lines called, which consist of aand an.\nThese rules are often customized depending on the role of the system, the\nrequirements of the environment, and whatever may enable\nthe administrator to most effectively make use of log data.\nThe default rules in Ubuntu 18.04 are:See the man pagefor more information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_rsyslog_files_permissions",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_files_permissions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R36)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "CCI-001314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "0988",
+ "href": ""
+ },
+ {
+ "text": "1405",
+ "href": ""
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "Req-10.5.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "Req-10.5.2",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_rsyslog_files_permissions",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R36)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "CCI-001314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "0988"
+ },
+ {
+ "ref": "1405"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "Req-10.5.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "Req-10.5.2",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure System Log Files Have Correct Permissions",
+ "id": "xccdf_org.ssgproject.content_rule_rsyslog_files_permissions",
+ "desc": "The file permissions for all log files written byshould\nbe set to 600, or more restrictive. These log files are determined by the\nsecond part of each Rule line inand typically\nall appear in. For each log filereferenced in, run the following command to\ninspect the file's permissions:If the permissions are not 600 or more restrictive, run the following\ncommand to correct this:\"",
+ "descriptions": [
+ {
+ "data": "Log files can contain valuable information regarding system\nconfiguration. If the system log files are not protected unauthorized\nusers could change the logged data, eliminating their forensic value.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure System Log Files Have Correct Permissions\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"rsyslog\",\n \"/etc/rsyslog.conf\",\n \"/var/log\",\n \"/etc/rsyslog.conf\"\n ],\n \"i\": \"LOGFILE\",\n \"pre\": [\n {\n \"i\": \"LOGFILE\",\n \"text\": \"$ ls -l\"\n },\n {\n \"i\": \"LOGFILE\",\n \"text\": \"$ sudo chmod 0600\"\n }\n ],\n \"text\": \"The file permissions for all log files written byshould\\nbe set to 600, or more restrictive. These log files are determined by the\\nsecond part of each Rule line inand typically\\nall appear in. For each log filereferenced in, run the following command to\\ninspect the file's permissions:If the permissions are not 600 or more restrictive, run the following\\ncommand to correct this:\\\"\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R36)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"CCI-001314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"0988\",\n \"href\": \"\"\n },\n {\n \"text\": \"1405\",\n \"href\": \"\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"Req-10.5.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"Req-10.5.2\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Log files can contain valuable information regarding system\\nconfiguration. If the system log files are not protected unauthorized\\nusers could change the logged data, eliminating their forensic value.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_files_permissions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_rsyslog_files_permissions\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The file permissions for all log files written byshould\nbe set to 600, or more restrictive. These log files are determined by the\nsecond part of each Rule line inand typically\nall appear in. For each log filereferenced in, run the following command to\ninspect the file's permissions:If the permissions are not 600 or more restrictive, run the following\ncommand to correct this:\"",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001665"
+ ],
+ "nist": [
+ "SC-24"
+ ],
+ "severity": "medium",
+ "description": "Theservice is an essential component of\nsystemd.\n\nTheservice can be enabled with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_journald",
+ "group_title": "systemd-journald",
+ "group_description": "systemd-journald is a system service that collects and stores\nlogging data. It creates and maintains structured, indexed\njournals based on logging information that is received from a\nvariety of sources.\n\nFor more information onand additionalconfiguration options, see.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_systemd-journald_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_systemd-journald_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001665",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SC-24",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000269-GPOS-00103",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001665",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SC-24",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000269-GPOS-00103",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable systemd-journald Service",
+ "id": "xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled",
+ "desc": "Theservice is an essential component of\nsystemd.\n\nTheservice can be enabled with the following command:",
+ "descriptions": [
+ {
+ "data": "In the event of a system failure, Ubuntu 18.04 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable systemd-journald Service\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"systemd-journald\",\n \"systemd-journald\"\n ],\n \"pre\": \"$ sudo systemctl enable systemd-journald.service\",\n \"text\": \"Theservice is an essential component of\\nsystemd.\\n\\nTheservice can be enabled with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001665\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SC-24\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000269-GPOS-00103\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"In the event of a system failure, Ubuntu 18.04 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" unmask 'systemd-journald.service'\\n\\\"$SYSTEMCTL_EXEC\\\" start 'systemd-journald.service'\\n\\\"$SYSTEMCTL_EXEC\\\" enable 'systemd-journald.service'\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_systemd-journald_enabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Enable service systemd-journald\\n block:\\n\\n - name: Gather the package facts\\n package_facts:\\n manager: auto\\n\\n - name: Enable service systemd-journald\\n service:\\n name: systemd-journald\\n enabled: 'yes'\\n state: started\\n masked: 'no'\\n when:\\n - '\\\"systemd\\\" in ansible_facts.packages'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-SC-24\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_systemd-journald_enabled\",\n \"id\": \"service_systemd-journald_enabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include enable_systemd-journald\\n\\nclass enable_systemd-journald {\\n service {'systemd-journald':\\n enable => true,\\n ensure => 'running',\\n }\\n}\",\n \"id\": \"service_systemd-journald_enabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[customizations.services]\\nenabled = [\\\"systemd-journald\\\"]\",\n \"id\": \"service_systemd-journald_enabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_systemd-journald_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_systemd-journald_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice is an essential component of\nsystemd.\n\nTheservice can be enabled with the following command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theutility allows for the automatic rotation of\nlog files. The frequency of rotation is specified in,\nwhich triggers a cron task. To configure logrotate to run daily, add or correct\nthe following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_log_rotation",
+ "group_title": "Ensure All Logs are Rotated by logrotate",
+ "group_description": "Edit the file. Find the first\n\nline, which should look like this (wrapped for clarity):Edit this line so that it contains a one-space-separated\nlisting of each log file referenced in.All logs in use on a system must be rotated regularly, or the\nlog files will consume disk space over time, eventually interfering\nwith system operation. The fileis the\nconfiguration file used by theprogram to maintain all\nlog files written by. By default, it rotates logs weekly and\nstores four archival copies of each log. These settings can be\nmodified by editing, but the defaults are\nsufficient for purposes of this guide.Note thatis run nightly by the cron job. If particularly active logs need to be\nrotated more often than once a day, some other mechanism must be\nused.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_ensure_logrotate_activated",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-ensure_logrotate_activated:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R43)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "NT12(R18)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.7",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_ensure_logrotate_activated",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R43)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "NT12(R18)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.7",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Logrotate Runs Periodically",
+ "id": "xccdf_org.ssgproject.content_rule_ensure_logrotate_activated",
+ "desc": "Theutility allows for the automatic rotation of\nlog files. The frequency of rotation is specified in,\nwhich triggers a cron task. To configure logrotate to run daily, add or correct\nthe following line in:",
+ "descriptions": [
+ {
+ "data": "Log files that are not properly rotated run the risk of growing so large\nthat they fill up the /var/log partition. Valuable logging information could be lost\nif the /var/log partition becomes full.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Logrotate Runs Periodically\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"logrotate\",\n \"/etc/logrotate.conf\",\n \"/etc/logrotate.conf\"\n ],\n \"pre\": {\n \"i\": \"frequency\",\n \"text\": \"# rotate log filesdaily\"\n },\n \"text\": \"Theutility allows for the automatic rotation of\\nlog files. The frequency of rotation is specified in,\\nwhich triggers a cron task. To configure logrotate to run daily, add or correct\\nthe following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R43)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"NT12(R18)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.7\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Log files that are not properly rotated run the risk of growing so large\\nthat they fill up the /var/log partition. Valuable logging information could be lost\\nif the /var/log partition becomes full.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nLOGROTATE_CONF_FILE=\\\"/etc/logrotate.conf\\\"\\nCRON_DAILY_LOGROTATE_FILE=\\\"/etc/cron.daily/logrotate\\\"\\n\\n# daily rotation is configured\\ngrep -q \\\"^daily$\\\" $LOGROTATE_CONF_FILE|| echo \\\"daily\\\" >> $LOGROTATE_CONF_FILE\\n\\n# remove any line configuring weekly, monthly or yearly rotation\\nsed -i '/^\\\\s*\\\\(weekly\\\\|monthly\\\\|yearly\\\\).*$/d' $LOGROTATE_CONF_FILE\\n\\n# configure cron.daily if not already\\nif ! grep -q \\\"^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$\\\" $CRON_DAILY_LOGROTATE_FILE; then\\n\\techo \\\"#!/bin/sh\\\" > $CRON_DAILY_LOGROTATE_FILE\\n\\techo \\\"/usr/sbin/logrotate $LOGROTATE_CONF_FILE\\\" >> $CRON_DAILY_LOGROTATE_FILE\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"ensure_logrotate_activated\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Configure daily log rotation in /etc/logrotate.conf\\n lineinfile:\\n create: true\\n dest: /etc/logrotate.conf\\n regexp: ^daily$\\n line: daily\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.7\\n - configure_strategy\\n - ensure_logrotate_activated\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf\\n lineinfile:\\n create: false\\n dest: /etc/logrotate.conf\\n regexp: ^[\\\\s]*(weekly|monthly|yearly)$\\n state: absent\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.7\\n - configure_strategy\\n - ensure_logrotate_activated\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Configure cron.daily if not already\\n block:\\n\\n - name: Add shebang\\n lineinfile:\\n path: /etc/cron.daily/logrotate\\n line: '#!/bin/sh'\\n insertbefore: BOF\\n create: true\\n\\n - name: Add logrotate call\\n lineinfile:\\n path: /etc/cron.daily/logrotate\\n line: /usr/sbin/logrotate /etc/logrotate.conf\\n regexp: ^[\\\\s]*/usr/sbin/logrotate[\\\\s\\\\S]*/etc/logrotate.conf$\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.7\\n - configure_strategy\\n - ensure_logrotate_activated\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"ensure_logrotate_activated\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-ensure_logrotate_activated:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_ensure_logrotate_activated\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theutility allows for the automatic rotation of\nlog files. The frequency of rotation is specified in,\nwhich triggers a cron task. To configure logrotate to run daily, add or correct\nthe following line in:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001311",
+ "CCI-001312"
+ ],
+ "nist": [
+ "SI-11 a",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "syslog-ng can be installed in replacement of rsyslog.\nThepackage can be installed with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages",
+ "group_title": "Configure rsyslogd to Accept Remote Messages If Acting as a Log Server",
+ "group_description": "By default,does not listen over the network\nfor log messages. If needed, modules can be enabled to allow\nthe rsyslog daemon to receive messages from other systems and for the system\nthus to act as a log server.\nIf the system is not a log server, then lines concerning these modules\nshould remain commented out.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_syslogng_installed",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_syslogng_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_syslogng_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R46)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "BP28(R5)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001311",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001312",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_syslogng_installed",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R46)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "BP28(R5)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001311",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001312",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure syslog-ng is Installed",
+ "id": "xccdf_org.ssgproject.content_rule_package_syslogng_installed",
+ "desc": "syslog-ng can be installed in replacement of rsyslog.\nThepackage can be installed with the following command:",
+ "descriptions": [
+ {
+ "data": "The syslog-ng-core package provides the syslog-ng daemon, which provides\nsystem logging services.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure syslog-ng is Installed\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"syslog-ng-core\",\n \"pre\": \"$ apt-get install syslog-ng-core\",\n \"text\": \"syslog-ng can be installed in replacement of rsyslog.\\nThepackage can be installed with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R46)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"BP28(R5)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001311\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001312\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"The syslog-ng-core package provides the syslog-ng daemon, which provides\\nsystem logging services.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nDEBIAN_FRONTEND=noninteractive apt-get install -y \\\"syslog-ng\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"package_syslogng_installed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Ensure syslog-ng is installed\\n package:\\n name: syslog-ng\\n state: present\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - package_syslogng_installed\",\n \"id\": \"package_syslogng_installed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include install_syslog-ng\\n\\nclass install_syslog-ng {\\n package { 'syslog-ng':\\n ensure => 'installed',\\n }\\n}\",\n \"id\": \"package_syslogng_installed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[[packages]]\\nname = \\\"syslog-ng\\\"\\nversion = \\\"*\\\"\",\n \"id\": \"package_syslogng_installed\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_syslogng_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_syslogng_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_package_syslogng_installed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "syslog-ng can be installed in replacement of rsyslog.\nThepackage can be installed with the following command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001311",
+ "CCI-001312",
+ "CCI-001557",
+ "CCI-001851"
+ ],
+ "nist": [
+ "SI-11 a",
+ "AC-4 (17) c",
+ "AU-4 (1)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theservice (in replacement of rsyslog) provides syslog-style logging by default on Debian.\n\nTheservice can be enabled with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages",
+ "group_title": "Configure rsyslogd to Accept Remote Messages If Acting as a Log Server",
+ "group_description": "By default,does not listen over the network\nfor log messages. If needed, modules can be enabled to allow\nthe rsyslog daemon to receive messages from other systems and for the system\nthus to act as a log server.\nIf the system is not a log server, then lines concerning these modules\nshould remain commented out.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_syslogng_enabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_syslogng_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R46)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "BP28(R5)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI04.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001311",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001312",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001557",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001851",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.17.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-4(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_syslogng_enabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R46)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "BP28(R5)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI04.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001311",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001312",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001557",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001851",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.17.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-4(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable syslog-ng Service",
+ "id": "xccdf_org.ssgproject.content_rule_service_syslogng_enabled",
+ "desc": "Theservice (in replacement of rsyslog) provides syslog-style logging by default on Debian.\n\nTheservice can be enabled with the following command:",
+ "descriptions": [
+ {
+ "data": "Theservice must be running in order to provide\nlogging services, which are essential to system administration.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable syslog-ng Service\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"syslog-ng\",\n \"syslog-ng\"\n ],\n \"pre\": \"$ sudo systemctl enable syslog-ng.service\",\n \"text\": \"Theservice (in replacement of rsyslog) provides syslog-style logging by default on Debian.\\n\\nTheservice can be enabled with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R46)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"BP28(R5)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI04.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001311\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001312\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001557\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001851\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.17.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-4(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": \"syslog-ng\",\n \"text\": \"Theservice must be running in order to provide\\nlogging services, which are essential to system administration.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" unmask 'syslog-ng.service'\\n\\\"$SYSTEMCTL_EXEC\\\" start 'syslog-ng.service'\\n\\\"$SYSTEMCTL_EXEC\\\" enable 'syslog-ng.service'\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_syslogng_enabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Enable service syslog-ng\\n block:\\n\\n - name: Gather the package facts\\n package_facts:\\n manager: auto\\n\\n - name: Enable service syslog-ng\\n service:\\n name: syslog-ng\\n enabled: 'yes'\\n state: started\\n masked: 'no'\\n when:\\n - '\\\"syslog-ng\\\" in ansible_facts.packages'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AU-4(1)\\n - NIST-800-53-CM-6(a)\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_syslogng_enabled\",\n \"id\": \"service_syslogng_enabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include enable_syslog-ng\\n\\nclass enable_syslog-ng {\\n service {'syslog-ng':\\n enable => true,\\n ensure => 'running',\\n }\\n}\",\n \"id\": \"service_syslogng_enabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[customizations.services]\\nenabled = [\\\"syslog-ng\\\"]\",\n \"id\": \"service_syslogng_enabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_syslogng_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_service_syslogng_enabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice (in replacement of rsyslog) provides syslog-style logging by default on Debian.\n\nTheservice can be enabled with the following command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6 a.",
+ "AU-6 (3)",
+ "AU-6 (4)"
+ ],
+ "severity": "unknown",
+ "description": "Thedaemon should not accept remote messages\nunless the system acts as a log server.\nIf the system needs to act as a central log server, add the following lines toto enable reception of messages over TCP:",
+ "group_id": "xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages",
+ "group_title": "Configure rsyslogd to Accept Remote Messages If Acting as a Log Server",
+ "group_description": "By default,does not listen over the network\nfor log messages. If needed, modules can be enabled to allow\nthe rsyslog daemon to receive messages from other systems and for the system\nthus to act as a log server.\nIf the system is not a log server, then lines concerning these modules\nshould remain commented out.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_tcp",
+ "check": "\"\"",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-004-6 R2.2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R.1.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R6.5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-6(3)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-6(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_tcp",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R.1.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R6.5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-6(3)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-6(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable rsyslog to Accept Messages via TCP, if Acting As Log Server",
+ "id": "xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_tcp",
+ "desc": "Thedaemon should not accept remote messages\nunless the system acts as a log server.\nIf the system needs to act as a central log server, add the following lines toto enable reception of messages over TCP:",
+ "descriptions": [
+ {
+ "data": "If the system needs to act as a log server, this ensures that it can receive\nmessages over a reliable TCP connection.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Enable rsyslog to Accept Messages via TCP, if Acting As Log Server\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"rsyslog\",\n \"/etc/rsyslog.conf\"\n ],\n \"pre\": \"$ModLoad imtcp\\n$InputTCPServerRun 514\",\n \"text\": \"Thedaemon should not accept remote messages\\nunless the system acts as a log server.\\nIf the system needs to act as a central log server, add the following lines toto enable reception of messages over TCP:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R.1.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R6.5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-6(3)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-6(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"If the system needs to act as a log server, this ensures that it can receive\\nmessages over a reliable TCP connection.\",\n \"lang\": \"en-US\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_tcp\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Thedaemon should not accept remote messages\nunless the system acts as a log server.\nIf the system needs to act as a central log server, add the following lines toto enable reception of messages over TCP:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6 a.",
+ "AU-6 (3)",
+ "AU-6 (4)"
+ ],
+ "severity": "unknown",
+ "description": "Thedaemon should not accept remote messages\nunless the system acts as a log server.\nIf the system needs to act as a central log server, add the following lines toto enable reception of messages over UDP:",
+ "group_id": "xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages",
+ "group_title": "Configure rsyslogd to Accept Remote Messages If Acting as a Log Server",
+ "group_description": "By default,does not listen over the network\nfor log messages. If needed, modules can be enabled to allow\nthe rsyslog daemon to receive messages from other systems and for the system\nthus to act as a log server.\nIf the system is not a log server, then lines concerning these modules\nshould remain commented out.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_udp",
+ "check": "\"\"",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-004-6 R2.2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R.1.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R6.5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-6(3)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-6(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_udp",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R.1.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R6.5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-6(3)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-6(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable rsyslog to Accept Messages via UDP, if Acting As Log Server",
+ "id": "xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_udp",
+ "desc": "Thedaemon should not accept remote messages\nunless the system acts as a log server.\nIf the system needs to act as a central log server, add the following lines toto enable reception of messages over UDP:",
+ "descriptions": [
+ {
+ "data": "Many devices, such as switches, routers, and other Unix-like systems, may only support\nthe traditional syslog transmission over UDP. If the system must act as a log server,\nthis enables it to receive their messages as well.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Enable rsyslog to Accept Messages via UDP, if Acting As Log Server\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"rsyslog\",\n \"/etc/rsyslog.conf\"\n ],\n \"pre\": \"$ModLoad imudp\\n$UDPServerRun 514\",\n \"text\": \"Thedaemon should not accept remote messages\\nunless the system acts as a log server.\\nIf the system needs to act as a central log server, add the following lines toto enable reception of messages over UDP:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R.1.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R6.5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-6(3)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-6(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Many devices, such as switches, routers, and other Unix-like systems, may only support\\nthe traditional syslog transmission over UDP. If the system must act as a log server,\\nthis enables it to receive their messages as well.\",\n \"lang\": \"en-US\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_udp\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Thedaemon should not accept remote messages\nunless the system acts as a log server.\nIf the system needs to act as a central log server, add the following lines toto enable reception of messages over UDP:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366",
+ "CCI-001348",
+ "CCI-000136",
+ "CCI-001851"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AU-9 (2)",
+ "AU-3 (2)",
+ "AU-4 (1)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To configure rsyslog to send logs to a remote log server,\nopenand read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote\nlogging.\nAlong with these other directives, the system can be configured\nto forward its logs to a particular log server by\nadding or correcting one of the following lines,\nsubstitutingappropriately.\nThe choice of protocol depends on the environment of the system;\nalthough TCP and RELP provide more reliable message delivery,\nthey may not be supported in all environments.To use UDP for log message delivery:To use TCP for log message delivery:To use RELP for log message delivery:There must be a resolvable DNS CNAME or Alias record set to \"\" for logs to be sent correctly to the centralized logging utility.",
+ "group_id": "xccdf_org.ssgproject.content_group_rsyslog_sending_messages",
+ "group_title": "Rsyslog Logs Sent To Remote Host",
+ "group_description": "If system logs are to be useful in detecting malicious\nactivities, it is necessary to send logs to a remote server. An\nintruder who has compromised the root account on a system may\ndelete the log entries which indicate that the system was attacked\nbefore they are seen by an administrator.However, it is recommended that logs be stored on the local\nhost in addition to being sent to the loghost, especially ifhas been configured to use the UDP protocol to send\nmessages over a network. UDP does not guarantee reliable delivery,\nand moderately busy sites will lose log messages occasionally,\nespecially in periods of high traffic which may be the result of an\nattack. In addition, remotemessages are not\nauthenticated in any way by default, so it is easy for an attacker to\nintroduce spurious messages to the central log server. Also, some\nproblems cause loss of network connectivity, which will prevent the\nsending of messages to the central server. For all of these reasons, it is\nbetter to store log messages both centrally and on each host, so\nthat they can be correlated if necessary.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_remote_loghost:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "rsyslog_remote_loghost",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R7)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "NT28(R43)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "NT12(R5)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI04.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001348",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000136",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001851",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(B)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(5)(ii)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(6)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(8)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.314(a)(2)(i)(C)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.314(a)(2)(iii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0988",
+ "href": ""
+ },
+ {
+ "text": "1405",
+ "href": ""
+ },
+ {
+ "text": "A.12.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.17.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-4(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-9(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.DS-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1.1.c",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000479-GPOS-00224",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000342-GPOS-00133",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000032-VMM-000130",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R7)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "NT28(R43)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "NT12(R5)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI04.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001348",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000136",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001851",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(B)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(5)(ii)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(6)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(8)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.314(a)(2)(i)(C)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.314(a)(2)(iii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0988"
+ },
+ {
+ "ref": "1405"
+ },
+ {
+ "ref": "A.12.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.17.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-4(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-9(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.DS-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1.1.c",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000479-GPOS-00224",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000342-GPOS-00133",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000032-VMM-000130"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Logs Sent To Remote Host",
+ "id": "xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost",
+ "desc": "To configure rsyslog to send logs to a remote log server,\nopenand read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote\nlogging.\nAlong with these other directives, the system can be configured\nto forward its logs to a particular log server by\nadding or correcting one of the following lines,\nsubstitutingappropriately.\nThe choice of protocol depends on the environment of the system;\nalthough TCP and RELP provide more reliable message delivery,\nthey may not be supported in all environments.To use UDP for log message delivery:To use TCP for log message delivery:To use RELP for log message delivery:There must be a resolvable DNS CNAME or Alias record set to \"\" for logs to be sent correctly to the centralized logging utility.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nrsyslog_remote_loghost_address=''\n\n\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\n# Otherwise, regular sed command will do.\nsed_command=('sed' '-i')\nif test -L \"/etc/rsyslog.conf\"; then\n sed_command+=('--follow-symlinks')\nfi\n\n# Strip any search characters in the key arg so that the key can be replaced without\n# adding any search characters to the config file.\nstripped_key=$(sed 's/[\\^=\\$,;+]*//g' <<< \"^\\*\\.\\*\")\n\n# shellcheck disable=SC2059\nprintf -v formatted_output \"%s %s\" \"$stripped_key\" \"@@$rsyslog_remote_loghost_address\"\n\n# If the key exists, change it. Otherwise, add it to the config_file.\n# We search for the key string followed by a word boundary (matched by \\>),\n# so if we search for 'setting', 'setting2' won't match.\nif LC_ALL=C grep -q -m 1 -i -e \"^\\*\\.\\*\\\\>\" \"/etc/rsyslog.conf\"; then\n escaped_formatted_output=$(sed -e 's|/|\\\\/|g' <<< \"$formatted_output\")\n \"${sed_command[@]}\" \"s/^\\*\\.\\*\\\\>.*/$escaped_formatted_output/gi\" \"/etc/rsyslog.conf\"\nelse\n # \\n is precaution for case where file ends without trailing newline\n \n printf '%s\\n' \"$formatted_output\" >> \"/etc/rsyslog.conf\"\nfi\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "A log server (loghost) receives syslog messages from one or more\nsystems. This data can be used as an additional log source in the event a\nsystem is compromised and its local logs are suspect. Forwarding log messages\nto a remote loghost also provides system administrators with a centralized\nplace to view the status of multiple hosts within the enterprise.",
+ "label": "rationale"
+ },
+ {
+ "data": "It is important to configure queues in case the client is sending log\nmessages to a remote server. If queues are not configured,\nthe system will stop functioning when the connection\nto the remote server is not available. Please consult Rsyslog\ndocumentation for more information about configuration of queues. The\nexample configuration which should go intocan look like the following lines:",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Logs Sent To Remote Host\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/rsyslog.conf\",\n {\n \"i\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address\",\n \"use\": \"legacy\"\n }\n }\n }\n ],\n \"br\": [\n \"\",\n \"\",\n \"\",\n \"\"\n ],\n \"pre\": [\n {\n \"i\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address\",\n \"use\": \"legacy\"\n }\n },\n \"text\": \"*.* @\"\n },\n {\n \"i\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address\",\n \"use\": \"legacy\"\n }\n },\n \"text\": \"*.* @@\"\n },\n {\n \"i\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address\",\n \"use\": \"legacy\"\n }\n },\n \"text\": \"*.* :omrelp:\"\n }\n ],\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address\",\n \"use\": \"legacy\"\n },\n \"text\": \"To configure rsyslog to send logs to a remote log server,\\nopenand read and understand the last section of the file,\\nwhich describes the multiple directives necessary to activate remote\\nlogging.\\nAlong with these other directives, the system can be configured\\nto forward its logs to a particular log server by\\nadding or correcting one of the following lines,\\nsubstitutingappropriately.\\nThe choice of protocol depends on the environment of the system;\\nalthough TCP and RELP provide more reliable message delivery,\\nthey may not be supported in all environments.To use UDP for log message delivery:To use TCP for log message delivery:To use RELP for log message delivery:There must be a resolvable DNS CNAME or Alias record set to \\\"\\\" for logs to be sent correctly to the centralized logging utility.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"code\": \"/etc/rsyslog.conf\",\n \"pre\": \"$ActionQueueType LinkedList\\n$ActionQueueFileName queuefilename\\n$ActionQueueMaxDiskSpace 1g\\n$ActionQueueSaveOnShutdown on\\n$ActionResumeRetryCount -1\",\n \"text\": \"It is important to configure queues in case the client is sending log\\nmessages to a remote server. If queues are not configured,\\nthe system will stop functioning when the connection\\nto the remote server is not available. Please consult Rsyslog\\ndocumentation for more information about configuration of queues. The\\nexample configuration which should go intocan look like the following lines:\",\n \"lang\": \"en-US\",\n \"category\": \"functionality\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R7)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"NT28(R43)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"NT12(R5)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI04.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001348\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000136\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001851\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(B)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(5)(ii)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(6)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(8)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.314(a)(2)(i)(C)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.314(a)(2)(iii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0988\",\n \"href\": \"\"\n },\n {\n \"text\": \"1405\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.12.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.17.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-4(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-9(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.DS-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1.1.c\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000479-GPOS-00224\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000342-GPOS-00133\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000032-VMM-000130\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"A log server (loghost) receives syslog messages from one or more\\nsystems. This data can be used as an additional log source in the event a\\nsystem is compromised and its local logs are suspect. Forwarding log messages\\nto a remote loghost also provides system administrators with a centralized\\nplace to view the status of multiple hosts within the enterprise.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nrsyslog_remote_loghost_address=''\\n\\n\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/rsyslog.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^\\\\*\\\\.\\\\*\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s %s\\\" \\\"$stripped_key\\\" \\\"@@$rsyslog_remote_loghost_address\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^\\\\*\\\\.\\\\*\\\\\\\\>\\\" \\\"/etc/rsyslog.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^\\\\*\\\\.\\\\*\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/rsyslog.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/rsyslog.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"rsyslog_remote_loghost\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-rsyslog_remote_loghost:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure rsyslog to send logs to a remote log server,\nopenand read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote\nlogging.\nAlong with these other directives, the system can be configured\nto forward its logs to a particular log server by\nadding or correcting one of the following lines,\nsubstitutingappropriately.\nThe choice of protocol depends on the environment of the system;\nalthough TCP and RELP provide more reliable message delivery,\nthey may not be supported in all environments.To use UDP for log message delivery:To use TCP for log message delivery:To use RELP for log message delivery:There must be a resolvable DNS CNAME or Alias record set to \"\" for logs to be sent correctly to the centralized logging utility.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001311",
+ "CCI-001312",
+ "CCI-000366"
+ ],
+ "nist": [
+ "SI-11 a",
+ "CM-6 b",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Rsyslog is installed by default. Thepackage can be installed with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_logging",
+ "group_title": "Configure Syslog",
+ "group_description": "The syslog service has been the default Unix logging mechanism for\nmany years. It has a number of downsides, including inconsistent log format,\nlack of authentication for received messages, and lack of authentication,\nencryption, or reliable transport for messages sent over a network. However,\ndue to its long history, syslog is a de facto standard which is supported by\nalmost all Unix applications.In Ubuntu 18.04, rsyslog has replaced ksyslogd as the\nsyslog daemon of choice, and it includes some additional security features\nsuch as reliable, connection-oriented (i.e. TCP) transmission of logs, the\noption to log to database formats, and the encryption of log data en route to\na central logging server.\nThis section discusses how to configure rsyslog for\nbest effect, and how to use tools provided with the system to maintain and\nmonitor logs.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_rsyslog_installed",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_rsyslog_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R5)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "NT28(R46)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001311",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001312",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.312(a)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FTP_ITC_EXT.1.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000479-GPOS-00224",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000051-GPOS-00024",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_rsyslog_installed",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R5)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "NT28(R46)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001311",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001312",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.312(a)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FTP_ITC_EXT.1.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000479-GPOS-00224",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000051-GPOS-00024",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure rsyslog is Installed",
+ "id": "xccdf_org.ssgproject.content_rule_package_rsyslog_installed",
+ "desc": "Rsyslog is installed by default. Thepackage can be installed with the following command:",
+ "descriptions": [
+ {
+ "data": "The rsyslog package provides the rsyslog daemon, which provides\nsystem logging services.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure rsyslog is Installed\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"rsyslog\",\n \"pre\": \"$ apt-get install rsyslog\",\n \"text\": \"Rsyslog is installed by default. Thepackage can be installed with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R5)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"NT28(R46)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001311\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001312\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.312(a)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FTP_ITC_EXT.1.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000479-GPOS-00224\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000051-GPOS-00024\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"The rsyslog package provides the rsyslog daemon, which provides\\nsystem logging services.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nDEBIAN_FRONTEND=noninteractive apt-get install -y \\\"rsyslog\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"package_rsyslog_installed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Ensure rsyslog is installed\\n package:\\n name: rsyslog\\n state: present\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - package_rsyslog_installed\",\n \"id\": \"package_rsyslog_installed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include install_rsyslog\\n\\nclass install_rsyslog {\\n package { 'rsyslog':\\n ensure => 'installed',\\n }\\n}\",\n \"id\": \"package_rsyslog_installed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[[packages]]\\nname = \\\"rsyslog\\\"\\nversion = \\\"*\\\"\",\n \"id\": \"package_rsyslog_installed\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_rsyslog_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_package_rsyslog_installed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Rsyslog is installed by default. Thepackage can be installed with the following command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001311",
+ "CCI-001312",
+ "CCI-001557",
+ "CCI-001851",
+ "CCI-000366"
+ ],
+ "nist": [
+ "SI-11 a",
+ "AC-4 (17) c",
+ "AU-4 (1)",
+ "CM-6 b",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theservice provides syslog-style logging by default on Ubuntu 18.04.\n\nTheservice can be enabled with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_logging",
+ "group_title": "Configure Syslog",
+ "group_description": "The syslog service has been the default Unix logging mechanism for\nmany years. It has a number of downsides, including inconsistent log format,\nlack of authentication for received messages, and lack of authentication,\nencryption, or reliable transport for messages sent over a network. However,\ndue to its long history, syslog is a de facto standard which is supported by\nalmost all Unix applications.In Ubuntu 18.04, rsyslog has replaced ksyslogd as the\nsyslog daemon of choice, and it includes some additional security features\nsuch as reliable, connection-oriented (i.e. TCP) transmission of logs, the\noption to log to database formats, and the encryption of log data en route to\na central logging server.\nThis section discusses how to configure rsyslog for\nbest effect, and how to use tools provided with the system to maintain and\nmonitor logs.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_rsyslog_enabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_rsyslog_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R5)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "NT28(R46)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "2",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI04.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001311",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001312",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001557",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001851",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.312(a)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.2.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.7",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.15.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.17.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-4(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.SC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_rsyslog_enabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R5)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "NT28(R46)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "2",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI04.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001311",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001312",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001557",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001851",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.312(a)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.2.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.7",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.15.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.17.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-4(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.SC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable rsyslog Service",
+ "id": "xccdf_org.ssgproject.content_rule_service_rsyslog_enabled",
+ "desc": "Theservice provides syslog-style logging by default on Ubuntu 18.04.\n\nTheservice can be enabled with the following command:",
+ "descriptions": [
+ {
+ "data": "Theservice must be running in order to provide\nlogging services, which are essential to system administration.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable rsyslog Service\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"rsyslog\",\n \"rsyslog\"\n ],\n \"pre\": \"$ sudo systemctl enable rsyslog.service\",\n \"text\": \"Theservice provides syslog-style logging by default on Ubuntu 18.04.\\n\\nTheservice can be enabled with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R5)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"NT28(R46)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"2\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI04.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001311\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001312\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001557\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001851\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.312(a)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.2.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.7\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.15.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.17.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-4(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.SC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"rsyslog\",\n \"text\": \"Theservice must be running in order to provide\\nlogging services, which are essential to system administration.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" unmask 'rsyslog.service'\\n\\\"$SYSTEMCTL_EXEC\\\" start 'rsyslog.service'\\n\\\"$SYSTEMCTL_EXEC\\\" enable 'rsyslog.service'\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_rsyslog_enabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Enable service rsyslog\\n block:\\n\\n - name: Gather the package facts\\n package_facts:\\n manager: auto\\n\\n - name: Enable service rsyslog\\n service:\\n name: rsyslog\\n enabled: 'yes'\\n state: started\\n masked: 'no'\\n when:\\n - '\\\"rsyslog\\\" in ansible_facts.packages'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AU-4(1)\\n - NIST-800-53-CM-6(a)\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_rsyslog_enabled\",\n \"id\": \"service_rsyslog_enabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include enable_rsyslog\\n\\nclass enable_rsyslog {\\n service {'rsyslog':\\n enable => true,\\n ensure => 'running',\\n }\\n}\",\n \"id\": \"service_rsyslog_enabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[customizations.services]\\nenabled = [\\\"rsyslog\\\"]\",\n \"id\": \"service_rsyslog_enabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_rsyslog_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_service_rsyslog_enabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice provides syslog-style logging by default on Ubuntu 18.04.\n\nTheservice can be enabled with the following command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "AC-4",
+ "CM-7 b.",
+ "CA-3 (5)",
+ "SC-7 (21)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theservice can be enabled with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_iptables_activation",
+ "group_title": "Inspect and Activate Default Rules",
+ "group_description": "View the currently-enforcedrules by running\nthe command:The command is analogous for.If the firewall does not appear to be active (i.e., no rules\nappear), activate it and ensure that it starts at boot by issuing\nthe following commands (and analogously for):The default iptables rules are:Thedefault rules are essentially the same.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_ip6tables_enabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_ip6tables_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_ip6tables_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.2.3.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R4",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-4",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CA-3(5)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-7(21)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.AM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_ip6tables_enabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.2.3.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R4",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-4",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CA-3(5)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-7(21)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.AM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify ip6tables Enabled if Using IPv6",
+ "id": "xccdf_org.ssgproject.content_rule_service_ip6tables_enabled",
+ "desc": "Theservice can be enabled with the following command:",
+ "descriptions": [
+ {
+ "data": "Theservice provides the system's host-based firewalling\ncapability for IPv6 and ICMPv6.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify ip6tables Enabled if Using IPv6\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"ip6tables\",\n \"pre\": \"$ sudo systemctl enable ip6tables.service\",\n \"text\": \"Theservice can be enabled with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.2.3.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R4\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-4\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CA-3(5)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-7(21)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.AM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": \"ip6tables\",\n \"text\": \"Theservice provides the system's host-based firewalling\\ncapability for IPv6 and ICMPv6.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" unmask 'ip6tables.service'\\n\\\"$SYSTEMCTL_EXEC\\\" start 'ip6tables.service'\\n\\\"$SYSTEMCTL_EXEC\\\" enable 'ip6tables.service'\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_ip6tables_enabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Enable service ip6tables\\n block:\\n\\n - name: Gather the package facts\\n package_facts:\\n manager: auto\\n\\n - name: Enable service ip6tables\\n service:\\n name: ip6tables\\n enabled: 'yes'\\n state: started\\n masked: 'no'\\n when:\\n - '\\\"iptables-ipv6\\\" in ansible_facts.packages'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-4\\n - NIST-800-53-CA-3(5)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-SC-7(21)\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_ip6tables_enabled\",\n \"id\": \"service_ip6tables_enabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include enable_ip6tables\\n\\nclass enable_ip6tables {\\n service {'ip6tables':\\n enable => true,\\n ensure => 'running',\\n }\\n}\",\n \"id\": \"service_ip6tables_enabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[customizations.services]\\nenabled = [\\\"ip6tables\\\"]\",\n \"id\": \"service_ip6tables_enabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_ip6tables_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_ip6tables_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_service_ip6tables_enabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice can be enabled with the following command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "AC-4",
+ "CM-7 b.",
+ "CA-3 (5)",
+ "SC-7 (21)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theservice can be enabled with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_iptables_activation",
+ "group_title": "Inspect and Activate Default Rules",
+ "group_description": "View the currently-enforcedrules by running\nthe command:The command is analogous for.If the firewall does not appear to be active (i.e., no rules\nappear), activate it and ensure that it starts at boot by issuing\nthe following commands (and analogously for):The default iptables rules are:Thedefault rules are essentially the same.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_iptables_enabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_iptables_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_iptables_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.2.3.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R4",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-4",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CA-3(5)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-7(21)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.AM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_iptables_enabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.2.3.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R4",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-4",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CA-3(5)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-7(21)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.AM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify iptables Enabled",
+ "id": "xccdf_org.ssgproject.content_rule_service_iptables_enabled",
+ "desc": "Theservice can be enabled with the following command:",
+ "descriptions": [
+ {
+ "data": "Theservice provides the system's host-based firewalling\ncapability for IPv4 and ICMP.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify iptables Enabled\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"iptables\",\n \"pre\": \"$ sudo systemctl enable iptables.service\",\n \"text\": \"Theservice can be enabled with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.2.3.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R4\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-4\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CA-3(5)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-7(21)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.AM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": \"iptables\",\n \"text\": \"Theservice provides the system's host-based firewalling\\ncapability for IPv4 and ICMP.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" unmask 'iptables.service'\\n\\\"$SYSTEMCTL_EXEC\\\" start 'iptables.service'\\n\\\"$SYSTEMCTL_EXEC\\\" enable 'iptables.service'\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_iptables_enabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Enable service iptables\\n block:\\n\\n - name: Gather the package facts\\n package_facts:\\n manager: auto\\n\\n - name: Enable service iptables\\n service:\\n name: iptables\\n enabled: 'yes'\\n state: started\\n masked: 'no'\\n when:\\n - '\\\"iptables\\\" in ansible_facts.packages'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-4\\n - NIST-800-53-CA-3(5)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-SC-7(21)\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_iptables_enabled\",\n \"id\": \"service_iptables_enabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include enable_iptables\\n\\nclass enable_iptables {\\n service {'iptables':\\n enable => true,\\n ensure => 'running',\\n }\\n}\",\n \"id\": \"service_iptables_enabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[customizations.services]\\nenabled = [\\\"iptables\\\"]\",\n \"id\": \"service_iptables_enabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_iptables_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_iptables_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_service_iptables_enabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice can be enabled with the following command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "AC-4",
+ "CM-7 b.",
+ "CA-3 (5)",
+ "SC-7 (21)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To set the default policy to DROP (instead of ACCEPT) for\nthe built-in INPUT chain which processes incoming packets,\nadd or correct the following line in:If changes were required, reload the ip6tables rules:",
+ "group_id": "xccdf_org.ssgproject.content_group_iptables_activation",
+ "group_title": "Inspect and Activate Default Rules",
+ "group_description": "View the currently-enforcedrules by running\nthe command:The command is analogous for.If the firewall does not appear to be active (i.e., no rules\nappear), activate it and ensure that it starts at boot by issuing\nthe following commands (and analogously for):The default iptables rules are:Thedefault rules are essentially the same.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n}",
+ "fix_id": "set_ip6tables_default_rule",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R4",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-4",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CA-3(5)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-7(21)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-1.4.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R4",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-4",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CA-3(5)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-7(21)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-1.4.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Set Default ip6tables Policy for Incoming Packets",
+ "id": "xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule",
+ "desc": "To set the default policy to DROP (instead of ACCEPT) for\nthe built-in INPUT chain which processes incoming packets,\nadd or correct the following line in:If changes were required, reload the ip6tables rules:",
+ "descriptions": [
+ {
+ "data": "ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1",
+ "label": "check"
+ },
+ {
+ "data": "sed -i 's/^:INPUT ACCEPT.*/:INPUT DROP [0:0]/g' /etc/sysconfig/ip6tables",
+ "label": "fix"
+ },
+ {
+ "data": "In, the default policy is applied only after all\nthe applicable rules in the table are examined for a match. Setting the\ndefault policy toimplements proper design for a firewall, i.e.\nany packets which are not explicitly permitted should not be\naccepted.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set Default ip6tables Policy for Incoming Packets\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/sysconfig/ip6tables\",\n \"pre\": [\n \":INPUT DROP [0:0]\",\n \"$ sudo service ip6tables reload\"\n ],\n \"text\": \"To set the default policy to DROP (instead of ACCEPT) for\\nthe built-in INPUT chain which processes incoming packets,\\nadd or correct the following line in:If changes were required, reload the ip6tables rules:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R4\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-4\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CA-3(5)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-7(21)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-1.4.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"ip6tables\",\n \"DROP\"\n ],\n \"text\": \"In, the default policy is applied only after all\\nthe applicable rules in the table are examined for a match. Setting the\\ndefault policy toimplements proper design for a firewall, i.e.\\nany packets which are not explicitly permitted should not be\\naccepted.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"sed -i 's/^:INPUT ACCEPT.*/:INPUT DROP [0:0]/g' /etc/sysconfig/ip6tables\",\n \"id\": \"set_ip6tables_default_rule\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the default policy to DROP (instead of ACCEPT) for\nthe built-in INPUT chain which processes incoming packets,\nadd or correct the following line in:If changes were required, reload the ip6tables rules:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Configure the loopback interface to accept traffic.\nConfigure all other interfaces to deny traffic to the loopback\nnetwork.",
+ "group_id": "xccdf_org.ssgproject.content_group_iptables_activation",
+ "group_title": "Inspect and Activate Default Rules",
+ "group_description": "View the currently-enforcedrules by running\nthe command:The command is analogous for.If the firewall does not appear to be active (i.e., no rules\nappear), activate it and ensure that it starts at boot by issuing\nthe following commands (and analogously for):The default iptables rules are:Thedefault rules are essentially the same.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_set_ipv6_loopback_traffic",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-set_ipv6_loopback_traffic_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "Req-1.4.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_set_ipv6_loopback_traffic",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "ref": [
+ {
+ "text": "Req-1.4.1"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Set configuration for IPv6 loopback traffic",
+ "id": "xccdf_org.ssgproject.content_rule_set_ipv6_loopback_traffic",
+ "desc": "Configure the loopback interface to accept traffic.\nConfigure all other interfaces to deny traffic to the loopback\nnetwork.",
+ "descriptions": [
+ {
+ "data": "ocil:ssg-set_ipv6_loopback_traffic_ocil:questionnaire:1",
+ "label": "check"
+ },
+ {
+ "data": "Loopback traffic is generated between processes on machine and is\ntypically critical to operation of the system. The loopback interface\nis the only place that loopback network traffic should be seen,\nall other interfaces should ignore traffic on this network as an\nanti-spoofing measure.",
+ "label": "rationale"
+ },
+ {
+ "data": "Changing firewall settings while connected over network can\nresult in being locked out of the system.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set configuration for IPv6 loopback traffic\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"Configure the loopback interface to accept traffic.\\nConfigure all other interfaces to deny traffic to the loopback\\nnetwork.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Changing firewall settings while connected over network can\\nresult in being locked out of the system.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": {\n \"text\": \"Req-1.4.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n \"rationale\": {\n \"text\": \"Loopback traffic is generated between processes on machine and is\\ntypically critical to operation of the system. The loopback interface\\nis the only place that loopback network traffic should be seen,\\nall other interfaces should ignore traffic on this network as an\\nanti-spoofing measure.\",\n \"lang\": \"en-US\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-set_ipv6_loopback_traffic_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_set_ipv6_loopback_traffic\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Configure the loopback interface to accept traffic.\nConfigure all other interfaces to deny traffic to the loopback\nnetwork.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Configure the loopback interface to accept traffic. \nConfigure all other interfaces to deny traffic to the loopback \nnetwork.",
+ "group_id": "xccdf_org.ssgproject.content_group_iptables_activation",
+ "group_title": "Inspect and Activate Default Rules",
+ "group_description": "View the currently-enforcedrules by running\nthe command:The command is analogous for.If the firewall does not appear to be active (i.e., no rules\nappear), activate it and ensure that it starts at boot by issuing\nthe following commands (and analogously for):The default iptables rules are:Thedefault rules are essentially the same.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_set_loopback_traffic",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-set_loopback_traffic_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "Req-1.4.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_set_loopback_traffic",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "ref": [
+ {
+ "text": "Req-1.4.1"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Set configuration for loopback traffic",
+ "id": "xccdf_org.ssgproject.content_rule_set_loopback_traffic",
+ "desc": "Configure the loopback interface to accept traffic. \nConfigure all other interfaces to deny traffic to the loopback \nnetwork.",
+ "descriptions": [
+ {
+ "data": "ocil:ssg-set_loopback_traffic_ocil:questionnaire:1",
+ "label": "check"
+ },
+ {
+ "data": "Loopback traffic is generated between processes on machine and is \ntypically critical to operation of the system. The loopback interface \nis the only place that loopback network traffic should be seen, all \nother interfaces should ignore traffic on this network as an\nanti-spoofing measure.",
+ "label": "rationale"
+ },
+ {
+ "data": "Changing firewall settings while connected over network can \nresult in being locked out of the system.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set configuration for loopback traffic\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"Configure the loopback interface to accept traffic. \\nConfigure all other interfaces to deny traffic to the loopback \\nnetwork.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"Changing firewall settings while connected over network can \\nresult in being locked out of the system.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": {\n \"text\": \"Req-1.4.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n \"rationale\": {\n \"text\": \"Loopback traffic is generated between processes on machine and is \\ntypically critical to operation of the system. The loopback interface \\nis the only place that loopback network traffic should be seen, all \\nother interfaces should ignore traffic on this network as an\\nanti-spoofing measure.\",\n \"lang\": \"en-US\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-set_loopback_traffic_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_set_loopback_traffic\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Configure the loopback interface to accept traffic. \nConfigure all other interfaces to deny traffic to the loopback \nnetwork.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CA-3 (5)",
+ "CM-7 b.",
+ "SC-7 (23)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To set the default policy to DROP (instead of ACCEPT) for\nthe built-in INPUT chain which processes incoming packets,\nadd or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_iptables_ruleset_modifications",
+ "group_title": "Strengthen the Default Ruleset",
+ "group_description": "The default rules can be strengthened. The system\nscripts that activate the firewall rules expect them to be defined\nin the configuration filesandin the directory. Many of the lines in these files are similar\nto the command line arguments that would be provided to the programsor- but some are quite\ndifferent.The following recommendations describe how to strengthen the\ndefault ruleset configuration file. An alternative to editing this\nconfiguration file is to create a shell script that makes calls to\nthe iptables program to load in rules, and then invokes service\niptables save to write those loaded rules toThe following alterations can be made directly toand.\nInstructions apply to both unless otherwise noted. Language and address\nconventions for regular iptables are used throughout this section;\nconfiguration for ip6tables will be either analogous or explicitly\ncovered.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_set_iptables_default_rule",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-set_iptables_default_rule_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n}",
+ "fix_id": "set_iptables_default_rule",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CA-3(5)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-7(23)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_set_iptables_default_rule",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CA-3(5)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-7(23)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Set Default iptables Policy for Incoming Packets",
+ "id": "xccdf_org.ssgproject.content_rule_set_iptables_default_rule",
+ "desc": "To set the default policy to DROP (instead of ACCEPT) for\nthe built-in INPUT chain which processes incoming packets,\nadd or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "ocil:ssg-set_iptables_default_rule_ocil:questionnaire:1",
+ "label": "check"
+ },
+ {
+ "data": "sed -i 's/^:INPUT ACCEPT.*/:INPUT DROP [0:0]/g' /etc/sysconfig/iptables",
+ "label": "fix"
+ },
+ {
+ "data": "Inthe default policy is applied only after all\nthe applicable rules in the table are examined for a match. Setting the\ndefault policy toimplements proper design for a firewall, i.e.\nany packets which are not explicitly permitted should not be\naccepted.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set Default iptables Policy for Incoming Packets\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/sysconfig/iptables\",\n \"pre\": \":INPUT DROP [0:0]\",\n \"text\": \"To set the default policy to DROP (instead of ACCEPT) for\\nthe built-in INPUT chain which processes incoming packets,\\nadd or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CA-3(5)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-7(23)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"iptables\",\n \"DROP\"\n ],\n \"text\": \"Inthe default policy is applied only after all\\nthe applicable rules in the table are examined for a match. Setting the\\ndefault policy toimplements proper design for a firewall, i.e.\\nany packets which are not explicitly permitted should not be\\naccepted.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"sed -i 's/^:INPUT ACCEPT.*/:INPUT DROP [0:0]/g' /etc/sysconfig/iptables\",\n \"id\": \"set_iptables_default_rule\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-set_iptables_default_rule_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_set_iptables_default_rule\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the default policy to DROP (instead of ACCEPT) for\nthe built-in INPUT chain which processes incoming packets,\nadd or correct the following line in:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CA-3 (5)",
+ "CM-7 b.",
+ "SC-7 (23)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To set the default policy to DROP (instead of ACCEPT) for\nthe built-in FORWARD chain which processes packets that will be forwarded from\none interface to another,\nadd or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_iptables_ruleset_modifications",
+ "group_title": "Strengthen the Default Ruleset",
+ "group_description": "The default rules can be strengthened. The system\nscripts that activate the firewall rules expect them to be defined\nin the configuration filesandin the directory. Many of the lines in these files are similar\nto the command line arguments that would be provided to the programsor- but some are quite\ndifferent.The following recommendations describe how to strengthen the\ndefault ruleset configuration file. An alternative to editing this\nconfiguration file is to create a shell script that makes calls to\nthe iptables program to load in rules, and then invokes service\niptables save to write those loaded rules toThe following alterations can be made directly toand.\nInstructions apply to both unless otherwise noted. Language and address\nconventions for regular iptables are used throughout this section;\nconfiguration for ip6tables will be either analogous or explicitly\ncovered.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_set_iptables_default_rule_forward",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n}",
+ "fix_id": "set_iptables_default_rule_forward",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CA-3(5)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-7(23)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_set_iptables_default_rule_forward",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CA-3(5)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-7(23)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Set Default iptables Policy for Forwarded Packets",
+ "id": "xccdf_org.ssgproject.content_rule_set_iptables_default_rule_forward",
+ "desc": "To set the default policy to DROP (instead of ACCEPT) for\nthe built-in FORWARD chain which processes packets that will be forwarded from\none interface to another,\nadd or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1",
+ "label": "check"
+ },
+ {
+ "data": "sed -i 's/^:FORWARD ACCEPT.*/:FORWARD DROP [0:0]/g' /etc/sysconfig/iptables",
+ "label": "fix"
+ },
+ {
+ "data": "In, the default policy is applied only after all\nthe applicable rules in the table are examined for a match. Setting the\ndefault policy toimplements proper design for a firewall, i.e.\nany packets which are not explicitly permitted should not be\naccepted.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set Default iptables Policy for Forwarded Packets\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/sysconfig/iptables\",\n \"pre\": \":FORWARD DROP [0:0]\",\n \"text\": \"To set the default policy to DROP (instead of ACCEPT) for\\nthe built-in FORWARD chain which processes packets that will be forwarded from\\none interface to another,\\nadd or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CA-3(5)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-7(23)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"iptables\",\n \"DROP\"\n ],\n \"text\": \"In, the default policy is applied only after all\\nthe applicable rules in the table are examined for a match. Setting the\\ndefault policy toimplements proper design for a firewall, i.e.\\nany packets which are not explicitly permitted should not be\\naccepted.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"sed -i 's/^:FORWARD ACCEPT.*/:FORWARD DROP [0:0]/g' /etc/sysconfig/iptables\",\n \"id\": \"set_iptables_default_rule_forward\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_set_iptables_default_rule_forward\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the default policy to DROP (instead of ACCEPT) for\nthe built-in FORWARD chain which processes packets that will be forwarded from\none interface to another,\nadd or correct the following line in:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To prevent the IPv6 kernel module () from binding to the\nIPv6 networking stack, add the following line to(or another file in):This permits the IPv6 module to be loaded (and thus satisfy other modules that\ndepend on it), while disabling support for the IPv6 protocol.",
+ "group_id": "xccdf_org.ssgproject.content_group_disabling_ipv6",
+ "group_title": "Disable Support for IPv6 Unless Needed",
+ "group_description": "Despite configuration that suggests support for IPv6 has\nbeen disabled, link-local IPv6 address auto-configuration occurs\neven when only an IPv4 address is assigned. The only way to\neffectively prevent execution of the IPv6 networking stack is to\ninstruct the system not to activate the IPv6 kernel module.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_ipv6_option_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_module_ipv6_option_disabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable IPv6 Networking Support Automatic Loading",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled",
+ "desc": "To prevent the IPv6 kernel module () from binding to the\nIPv6 networking stack, add the following line to(or another file in):This permits the IPv6 module to be loaded (and thus satisfy other modules that\ndepend on it), while disabling support for the IPv6 protocol.",
+ "descriptions": [
+ {
+ "data": "Any unnecessary network stacks - including IPv6 - should be disabled, to reduce\nthe vulnerability to exploitation.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable IPv6 Networking Support Automatic Loading\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"ipv6\",\n \"/etc/modprobe.d/disabled.conf\",\n \"/etc/modprobe.d\"\n ],\n \"pre\": \"options ipv6 disable=1\",\n \"text\": \"To prevent the IPv6 kernel module () from binding to the\\nIPv6 networking stack, add the following line to(or another file in):This permits the IPv6 module to be loaded (and thus satisfy other modules that\\ndepend on it), while disabling support for the IPv6 protocol.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Any unnecessary network stacks - including IPv6 - should be disabled, to reduce\\nthe vulnerability to exploitation.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack\\necho \\\"options ipv6 disable=1\\\" > /etc/modprobe.d/ipv6.conf\\n\\n# Since according to: https://access.redhat.com/solutions/72733\\n# \\\"ipv6 disable=1\\\" options doesn't always disable the IPv6 networking stack from\\n# loading, instruct also sysctl configuration to disable IPv6 according to:\\n# https://access.redhat.com/solutions/8709#rhel6disable\\n\\ndeclare -a IPV6_SETTINGS=(\\\"net.ipv6.conf.all.disable_ipv6\\\" \\\"net.ipv6.conf.default.disable_ipv6\\\")\\n\\nfor setting in \\\"${IPV6_SETTINGS[@]}\\\"\\ndo\\n\\t# Set runtime =1 for setting\\n\\t/sbin/sysctl -q -n -w \\\"$setting=1\\\"\\n\\n\\t# If setting is present in /etc/sysctl.conf, change value to \\\"1\\\"\\n\\t# else, add \\\"$setting = 1\\\" to /etc/sysctl.conf\\n\\tif grep -q ^\\\"$setting\\\" /etc/sysctl.conf ; then\\n\\t\\tsed -i \\\"s/^$setting.*/$setting = 1/g\\\" /etc/sysctl.conf\\n\\telse\\n\\t\\techo \\\"\\\" >> /etc/sysctl.conf\\n\\t\\techo \\\"# Set $setting = 1 per security requirements\\\" >> /etc/sysctl.conf\\n\\t\\techo \\\"$setting = 1\\\" >> /etc/sysctl.conf\\n\\tfi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"kernel_module_ipv6_option_disabled\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Disable IPv6 Networking kernel module\\n lineinfile:\\n create: true\\n dest: /etc/modprobe.d/ipv6.conf\\n regexp: ^options\\\\s+ipv6\\\\s+disable=\\\\d\\n line: options ipv6 disable=1\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - kernel_module_ipv6_option_disabled\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n\\n- name: Ensure disable_ipv6 (all and default) is set to 1\\n sysctl:\\n name: '{{ item }}'\\n value: '1'\\n state: present\\n reload: true\\n with_items:\\n - net.ipv6.conf.all.disable_ipv6\\n - net.ipv6.conf.default.disable_ipv6\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - kernel_module_ipv6_option_disabled\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\",\n \"id\": \"kernel_module_ipv6_option_disabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_ipv6_option_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_module_ipv6_option_disabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To prevent the IPv6 kernel module () from binding to the\nIPv6 networking stack, add the following line to(or another file in):This permits the IPv6 module to be loaded (and thus satisfy other modules that\ndepend on it), while disabling support for the IPv6 protocol.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001551"
+ ],
+ "nist": [
+ "AC-4",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To disable support for () addressing on all interface add the following line to(or another file in):This disables IPv6 on all network interfaces as other services and system\nfunctionality require the IPv6 stack loaded to work.",
+ "group_id": "xccdf_org.ssgproject.content_group_disabling_ipv6",
+ "group_title": "Disable Support for IPv6 Unless Needed",
+ "group_description": "Despite configuration that suggests support for IPv6 has\nbeen disabled, link-local IPv6 address auto-configuration occurs\neven when only an IPv4 address is assigned. The only way to\neffectively prevent execution of the IPv6 networking stack is to\ninstruct the system not to activate the IPv6 kernel module.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv6_conf_all_disable_ipv6:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.20",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-001551",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.20",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-001551",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable IPv6 Addressing on All IPv6 Interfaces",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6",
+ "desc": "To disable support for () addressing on all interface add the following line to(or another file in):This disables IPv6 on all network interfaces as other services and system\nfunctionality require the IPv6 stack loaded to work.",
+ "descriptions": [
+ {
+ "data": "Any unnecessary network stacks - including IPv6 - should be disabled, to reduce\nthe vulnerability to exploitation.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable IPv6 Addressing on All IPv6 Interfaces\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"ipv6\",\n \"/etc/sysctl.d/ipv6.conf\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": \"net.ipv6.conf.all.disable_ipv6 = 1\",\n \"text\": \"To disable support for () addressing on all interface add the following line to(or another file in):This disables IPv6 on all network interfaces as other services and system\\nfunctionality require the IPv6 stack loaded to work.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.20\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-001551\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Any unnecessary network stacks - including IPv6 - should be disabled, to reduce\\nthe vulnerability to exploitation.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of net.ipv6.conf.all.disable_ipv6 from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*net.ipv6.conf.all.disable_ipv6.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"net.ipv6.conf.all.disable_ipv6\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\n\\n#\\n# Set runtime for net.ipv6.conf.all.disable_ipv6\\n#\\n/sbin/sysctl -q -n -w net.ipv6.conf.all.disable_ipv6=\\\"1\\\"\\n\\n#\\n# If net.ipv6.conf.all.disable_ipv6 present in /etc/sysctl.conf, change value to \\\"1\\\"\\n#\\telse, add \\\"net.ipv6.conf.all.disable_ipv6 = 1\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^net.ipv6.conf.all.disable_ipv6\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"1\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^net.ipv6.conf.all.disable_ipv6\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^net.ipv6.conf.all.disable_ipv6\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_net_ipv6_conf_all_disable_ipv6\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*net.ipv6.conf.all.disable_ipv6.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.20\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv6_conf_all_disable_ipv6\\n\\n- name: Comment out any occurrences of net.ipv6.conf.all.disable_ipv6 from config\\n files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*net.ipv6.conf.all.disable_ipv6\\n replace: '#net.ipv6.conf.all.disable_ipv6'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.20\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv6_conf_all_disable_ipv6\\n\\n- name: Ensure sysctl net.ipv6.conf.all.disable_ipv6 is set to 1\\n sysctl:\\n name: net.ipv6.conf.all.disable_ipv6\\n value: '1'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.20\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv6_conf_all_disable_ipv6\",\n \"id\": \"sysctl_net_ipv6_conf_all_disable_ipv6\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv6_conf_all_disable_ipv6:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To disable support for () addressing on all interface add the following line to(or another file in):This disables IPv6 on all network interfaces as other services and system\nfunctionality require the IPv6 stack loaded to work.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001551"
+ ],
+ "nist": [
+ "AC-4",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To disable support for () addressing on interfaces by default add the following line to(or another file in):This disables IPv6 on network interfaces by default as other services and system\nfunctionality require the IPv6 stack loaded to work.",
+ "group_id": "xccdf_org.ssgproject.content_group_disabling_ipv6",
+ "group_title": "Disable Support for IPv6 Unless Needed",
+ "group_description": "Despite configuration that suggests support for IPv6 has\nbeen disabled, link-local IPv6 address auto-configuration occurs\neven when only an IPv4 address is assigned. The only way to\neffectively prevent execution of the IPv6 networking stack is to\ninstruct the system not to activate the IPv6 kernel module.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv6_conf_default_disable_ipv6:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.20",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-001551",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.20",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-001551",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable IPv6 Addressing on IPv6 Interfaces by Default",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6",
+ "desc": "To disable support for () addressing on interfaces by default add the following line to(or another file in):This disables IPv6 on network interfaces by default as other services and system\nfunctionality require the IPv6 stack loaded to work.",
+ "descriptions": [
+ {
+ "data": "Any unnecessary network stacks - including IPv6 - should be disabled, to reduce\nthe vulnerability to exploitation.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable IPv6 Addressing on IPv6 Interfaces by Default\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"ipv6\",\n \"/etc/sysctl.d/ipv6.conf\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": \"net.ipv6.conf.default.disable_ipv6 = 1\",\n \"text\": \"To disable support for () addressing on interfaces by default add the following line to(or another file in):This disables IPv6 on network interfaces by default as other services and system\\nfunctionality require the IPv6 stack loaded to work.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.20\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-001551\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Any unnecessary network stacks - including IPv6 - should be disabled, to reduce\\nthe vulnerability to exploitation.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of net.ipv6.conf.default.disable_ipv6 from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*net.ipv6.conf.default.disable_ipv6.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"net.ipv6.conf.default.disable_ipv6\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\n\\n#\\n# Set runtime for net.ipv6.conf.default.disable_ipv6\\n#\\n/sbin/sysctl -q -n -w net.ipv6.conf.default.disable_ipv6=\\\"1\\\"\\n\\n#\\n# If net.ipv6.conf.default.disable_ipv6 present in /etc/sysctl.conf, change value to \\\"1\\\"\\n#\\telse, add \\\"net.ipv6.conf.default.disable_ipv6 = 1\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^net.ipv6.conf.default.disable_ipv6\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"1\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^net.ipv6.conf.default.disable_ipv6\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^net.ipv6.conf.default.disable_ipv6\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_net_ipv6_conf_default_disable_ipv6\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*net.ipv6.conf.default.disable_ipv6.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.20\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv6_conf_default_disable_ipv6\\n\\n- name: Comment out any occurrences of net.ipv6.conf.default.disable_ipv6 from config\\n files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*net.ipv6.conf.default.disable_ipv6\\n replace: '#net.ipv6.conf.default.disable_ipv6'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.20\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv6_conf_default_disable_ipv6\\n\\n- name: Ensure sysctl net.ipv6.conf.default.disable_ipv6 is set to 1\\n sysctl:\\n name: net.ipv6.conf.default.disable_ipv6\\n value: '1'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.20\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv6_conf_default_disable_ipv6\",\n \"id\": \"sysctl_net_ipv6_conf_default_disable_ipv6\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv6_conf_default_disable_ipv6:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To disable support for () addressing on interfaces by default add the following line to(or another file in):This disables IPv6 on network interfaces by default as other services and system\nfunctionality require the IPv6 stack loaded to work.",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "group_id": "xccdf_org.ssgproject.content_group_network_host_and_router_parameters",
+ "group_title": "Network Related Kernel Runtime Parameters for Hosts and Routers",
+ "group_description": "Certain kernel parameters should be set for systems which are\nacting as either hosts or routers to improve the system's ability defend\nagainst certain types of IPv4 protocol attacks.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv4_conf_all_accept_local:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv4_conf_all_accept_local_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable Accepting Packets Routed Between Local Interfaces",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local",
+ "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "descriptions": [
+ {
+ "data": "Configureto consider as invalid the packets\nreceived from outside whose source is the 127.0.0.0/8 address block.\nIn combination with suitable routing, this can be used to direct packets between two\nlocal interfaces over the wire and have them accepted properly.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Accepting Packets Routed Between Local Interfaces\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"net.ipv4.conf.all.accept_local\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": [\n \"$ sudo sysctl -w net.ipv4.conf.all.accept_local=0\",\n \"net.ipv4.conf.all.accept_local = 0\"\n ],\n \"text\": \"To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"code\": \"net.ipv4.conf.all.accept_local=0\",\n \"text\": \"Configureto consider as invalid the packets\\nreceived from outside whose source is the 127.0.0.0/8 address block.\\nIn combination with suitable routing, this can be used to direct packets between two\\nlocal interfaces over the wire and have them accepted properly.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of net.ipv4.conf.all.accept_local from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*net.ipv4.conf.all.accept_local.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"net.ipv4.conf.all.accept_local\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\n\\n#\\n# Set runtime for net.ipv4.conf.all.accept_local\\n#\\n/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_local=\\\"0\\\"\\n\\n#\\n# If net.ipv4.conf.all.accept_local present in /etc/sysctl.conf, change value to \\\"0\\\"\\n#\\telse, add \\\"net.ipv4.conf.all.accept_local = 0\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^net.ipv4.conf.all.accept_local\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"0\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^net.ipv4.conf.all.accept_local\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^net.ipv4.conf.all.accept_local\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_net_ipv4_conf_all_accept_local\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*net.ipv4.conf.all.accept_local.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_accept_local\\n\\n- name: Comment out any occurrences of net.ipv4.conf.all.accept_local from config\\n files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*net.ipv4.conf.all.accept_local\\n replace: '#net.ipv4.conf.all.accept_local'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_accept_local\\n\\n- name: Ensure sysctl net.ipv4.conf.all.accept_local is set to 0\\n sysctl:\\n name: net.ipv4.conf.all.accept_local\\n value: '0'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_accept_local\",\n \"id\": \"sysctl_net_ipv4_conf_all_accept_local\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv4_conf_all_accept_local:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv4_conf_all_accept_local_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "group_id": "xccdf_org.ssgproject.content_group_network_host_and_router_parameters",
+ "group_title": "Network Related Kernel Runtime Parameters for Hosts and Routers",
+ "group_description": "Certain kernel parameters should be set for systems which are\nacting as either hosts or routers to improve the system's ability defend\nagainst certain types of IPv4 protocol attacks.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sysctl_net_ipv4_conf_all_arp_filter_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_filter_value\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv4_conf_all_arp_filter:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "net.ipv4.conf.default.arp_filter",
+ "lang": "en-US"
+ },
+ "description": "Controls whether the ARP filter is enabled or not.\n\n1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for each\ninterface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that interface.\nIn other words it allows control of which cards (usually 1) will respond to an ARP request.\n\n0 - (default) The kernel can respond to arp requests with addresses from other interfaces.\nThis may seem wrong but it usually makes sense, because it increases the chance of successful communication.\nIP addresses are owned by the complete host on Linux, not by particular interfaces.",
+ "value": [
+ "0",
+ {
+ "text": "0",
+ "selector": "disabled"
+ },
+ {
+ "text": "1",
+ "selector": "enabled"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_filter_value",
+ "type": "number"
+ }
+ ]
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Configure ARP filtering for All IPv4 Interfaces",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter",
+ "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "descriptions": [
+ {
+ "data": "Prevents the Linux Kernel from handling the ARP table globally.\nBy default, the kernel may respond to an ARP request from a certain interface with information\nfrom another interface.",
+ "label": "rationale"
+ },
+ {
+ "data": "This behaviour may cause problems to system on a high availability or load balancing configuration.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure ARP filtering for All IPv4 Interfaces\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"net.ipv4.conf.all.arp_filter\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_filter_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"$ sudo sysctl -w net.ipv4.conf.all.arp_filter=\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_filter_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"net.ipv4.conf.all.arp_filter =\"\n }\n ],\n \"text\": \"To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"This behaviour may cause problems to system on a high availability or load balancing configuration.\",\n \"lang\": \"en-US\",\n \"category\": \"functionality\"\n },\n \"rationale\": {\n \"text\": \"Prevents the Linux Kernel from handling the ARP table globally.\\nBy default, the kernel may respond to an ARP request from a certain interface with information\\nfrom another interface.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_filter_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of net.ipv4.conf.all.arp_filter from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*net.ipv4.conf.all.arp_filter.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"net.ipv4.conf.all.arp_filter\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\nsysctl_net_ipv4_conf_all_arp_filter_value=''\\n\\n\\n#\\n# Set runtime for net.ipv4.conf.all.arp_filter\\n#\\n/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_filter=\\\"$sysctl_net_ipv4_conf_all_arp_filter_value\\\"\\n\\n#\\n# If net.ipv4.conf.all.arp_filter present in /etc/sysctl.conf, change value to appropriate value\\n#\\telse, add \\\"net.ipv4.conf.all.arp_filter = value\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^net.ipv4.conf.all.arp_filter\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$sysctl_net_ipv4_conf_all_arp_filter_value\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^net.ipv4.conf.all.arp_filter\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^net.ipv4.conf.all.arp_filter\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_net_ipv4_conf_all_arp_filter\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_filter_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*net.ipv4.conf.all.arp_filter.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_arp_filter\\n\\n- name: Comment out any occurrences of net.ipv4.conf.all.arp_filter from config files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*net.ipv4.conf.all.arp_filter\\n replace: '#net.ipv4.conf.all.arp_filter'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_arp_filter\\n- name: XCCDF Value sysctl_net_ipv4_conf_all_arp_filter_value # promote to variable\\n set_fact:\\n sysctl_net_ipv4_conf_all_arp_filter_value: !!strtags:\\n - always\\n\\n- name: Ensure sysctl net.ipv4.conf.all.arp_filter is set\\n sysctl:\\n name: net.ipv4.conf.all.arp_filter\\n value: '{{ sysctl_net_ipv4_conf_all_arp_filter_value }}'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_arp_filter\",\n \"id\": \"sysctl_net_ipv4_conf_all_arp_filter\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sysctl_net_ipv4_conf_all_arp_filter_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_filter_value\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv4_conf_all_arp_filter:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "group_id": "xccdf_org.ssgproject.content_group_network_host_and_router_parameters",
+ "group_title": "Network Related Kernel Runtime Parameters for Hosts and Routers",
+ "group_description": "Certain kernel parameters should be set for systems which are\nacting as either hosts or routers to improve the system's ability defend\nagainst certain types of IPv4 protocol attacks.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_ignore_value\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "net.ipv4.conf.default.arp_ignore",
+ "lang": "en-US"
+ },
+ "description": "Control the response modes for ARP queries that resolve local target IP addresses:\n\n0 - (default): reply for any local target IP address, configured on any interface\n1 - reply only if the target IP address is local address configured on the incoming interface\n2 - reply only if the target IP address is local address configured on the incoming interface and both with the sender’s IP address are part from same subnet on this interface\n3 - do not reply for local addresses configured with scope host, only resolutions for global and link addresses are replied\n4-7 - reserved\n8 - do not reply for all local addresses",
+ "value": [
+ "0",
+ {
+ "text": "0",
+ "selector": "0"
+ },
+ {
+ "text": "1",
+ "selector": "1"
+ },
+ {
+ "text": "2",
+ "selector": "2"
+ },
+ {
+ "text": "3",
+ "selector": "3"
+ },
+ {
+ "text": "8",
+ "selector": "8"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_ignore_value",
+ "type": "number"
+ }
+ ]
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Configure Response Mode of ARP Requests for All IPv4 Interfaces",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore",
+ "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "descriptions": [
+ {
+ "data": "Avoids ARP Flux on system that have more than one interface on the same subnet.",
+ "label": "rationale"
+ },
+ {
+ "data": "The ARP response mode may impact behaviour of workloads and firewalls on the system.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure Response Mode of ARP Requests for All IPv4 Interfaces\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"net.ipv4.conf.all.arp_ignore\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_ignore_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_ignore_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"net.ipv4.conf.all.arp_ignore =\"\n }\n ],\n \"text\": \"To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"The ARP response mode may impact behaviour of workloads and firewalls on the system.\",\n \"lang\": \"en-US\",\n \"category\": \"functionality\"\n },\n \"rationale\": {\n \"text\": \"Avoids ARP Flux on system that have more than one interface on the same subnet.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_ignore_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of net.ipv4.conf.all.arp_ignore from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*net.ipv4.conf.all.arp_ignore.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"net.ipv4.conf.all.arp_ignore\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\nsysctl_net_ipv4_conf_all_arp_ignore_value=''\\n\\n\\n#\\n# Set runtime for net.ipv4.conf.all.arp_ignore\\n#\\n/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_ignore=\\\"$sysctl_net_ipv4_conf_all_arp_ignore_value\\\"\\n\\n#\\n# If net.ipv4.conf.all.arp_ignore present in /etc/sysctl.conf, change value to appropriate value\\n#\\telse, add \\\"net.ipv4.conf.all.arp_ignore = value\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^net.ipv4.conf.all.arp_ignore\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$sysctl_net_ipv4_conf_all_arp_ignore_value\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^net.ipv4.conf.all.arp_ignore\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^net.ipv4.conf.all.arp_ignore\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_net_ipv4_conf_all_arp_ignore\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_ignore_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*net.ipv4.conf.all.arp_ignore.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_arp_ignore\\n\\n- name: Comment out any occurrences of net.ipv4.conf.all.arp_ignore from config files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*net.ipv4.conf.all.arp_ignore\\n replace: '#net.ipv4.conf.all.arp_ignore'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_arp_ignore\\n- name: XCCDF Value sysctl_net_ipv4_conf_all_arp_ignore_value # promote to variable\\n set_fact:\\n sysctl_net_ipv4_conf_all_arp_ignore_value: !!strtags:\\n - always\\n\\n- name: Ensure sysctl net.ipv4.conf.all.arp_ignore is set\\n sysctl:\\n name: net.ipv4.conf.all.arp_ignore\\n value: '{{ sysctl_net_ipv4_conf_all_arp_ignore_value }}'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_arp_ignore\",\n \"id\": \"sysctl_net_ipv4_conf_all_arp_ignore\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_ignore_value\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "group_id": "xccdf_org.ssgproject.content_group_network_host_and_router_parameters",
+ "group_title": "Network Related Kernel Runtime Parameters for Hosts and Routers",
+ "group_description": "Certain kernel parameters should be set for systems which are\nacting as either hosts or routers to improve the system's ability defend\nagainst certain types of IPv4 protocol attacks.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv4_conf_all_route_localnet:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv4_conf_all_route_localnet_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet",
+ "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "descriptions": [
+ {
+ "data": "Refuse the routing of packets whose source or destination address is the local loopback.\nThis prohibits the use of network 127/8 for local routing purposes.\nEnablingcan expose applications listening on localhost to external traffic.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"net.ipv4.conf.all.route_localnet\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": [\n \"$ sudo sysctl -w net.ipv4.conf.all.route_localnet=0\",\n \"net.ipv4.conf.all.route_localnet = 0\"\n ],\n \"text\": \"To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"code\": \"route_localnet\",\n \"text\": \"Refuse the routing of packets whose source or destination address is the local loopback.\\nThis prohibits the use of network 127/8 for local routing purposes.\\nEnablingcan expose applications listening on localhost to external traffic.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of net.ipv4.conf.all.route_localnet from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*net.ipv4.conf.all.route_localnet.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"net.ipv4.conf.all.route_localnet\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\n\\n#\\n# Set runtime for net.ipv4.conf.all.route_localnet\\n#\\n/sbin/sysctl -q -n -w net.ipv4.conf.all.route_localnet=\\\"0\\\"\\n\\n#\\n# If net.ipv4.conf.all.route_localnet present in /etc/sysctl.conf, change value to \\\"0\\\"\\n#\\telse, add \\\"net.ipv4.conf.all.route_localnet = 0\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^net.ipv4.conf.all.route_localnet\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"0\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^net.ipv4.conf.all.route_localnet\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^net.ipv4.conf.all.route_localnet\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_net_ipv4_conf_all_route_localnet\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*net.ipv4.conf.all.route_localnet.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_route_localnet\\n\\n- name: Comment out any occurrences of net.ipv4.conf.all.route_localnet from config\\n files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*net.ipv4.conf.all.route_localnet\\n replace: '#net.ipv4.conf.all.route_localnet'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_route_localnet\\n\\n- name: Ensure sysctl net.ipv4.conf.all.route_localnet is set to 0\\n sysctl:\\n name: net.ipv4.conf.all.route_localnet\\n value: '0'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_route_localnet\",\n \"id\": \"sysctl_net_ipv4_conf_all_route_localnet\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv4_conf_all_route_localnet:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv4_conf_all_route_localnet_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "group_id": "xccdf_org.ssgproject.content_group_network_host_and_router_parameters",
+ "group_title": "Network Related Kernel Runtime Parameters for Hosts and Routers",
+ "group_description": "Certain kernel parameters should be set for systems which are\nacting as either hosts or routers to improve the system's ability defend\nagainst certain types of IPv4 protocol attacks.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sysctl_net_ipv4_conf_all_shared_media_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_shared_media_value\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv4_conf_all_shared_media:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "net.ipv4.conf.all.shared_media",
+ "lang": "en-US"
+ },
+ "description": "Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects.for the interface will be enabled if at least one of conf/{all,interface}/shared_media\nis set to TRUE, it will be disabled otherwise.",
+ "value": [
+ "0",
+ {
+ "text": "0",
+ "selector": "disabled"
+ },
+ {
+ "text": "1",
+ "selector": "enabled"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_shared_media_value",
+ "type": "number"
+ }
+ ]
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media",
+ "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "descriptions": [
+ {
+ "data": "This setting should be aligned withbecause it overrides it.\nIfis enabled for an interfacewill be enabled too.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"net.ipv4.conf.all.shared_media\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_shared_media_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"$ sudo sysctl -w net.ipv4.conf.all.shared_media=\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_shared_media_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"net.ipv4.conf.all.shared_media =\"\n }\n ],\n \"text\": \"To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"code\": [\n \"net.ipv4.conf.all.secure_redirects\",\n \"shared_media\",\n \"secure_redirects\"\n ],\n \"text\": \"This setting should be aligned withbecause it overrides it.\\nIfis enabled for an interfacewill be enabled too.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_shared_media_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of net.ipv4.conf.all.shared_media from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*net.ipv4.conf.all.shared_media.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"net.ipv4.conf.all.shared_media\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\nsysctl_net_ipv4_conf_all_shared_media_value=''\\n\\n\\n#\\n# Set runtime for net.ipv4.conf.all.shared_media\\n#\\n/sbin/sysctl -q -n -w net.ipv4.conf.all.shared_media=\\\"$sysctl_net_ipv4_conf_all_shared_media_value\\\"\\n\\n#\\n# If net.ipv4.conf.all.shared_media present in /etc/sysctl.conf, change value to appropriate value\\n#\\telse, add \\\"net.ipv4.conf.all.shared_media = value\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^net.ipv4.conf.all.shared_media\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$sysctl_net_ipv4_conf_all_shared_media_value\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^net.ipv4.conf.all.shared_media\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^net.ipv4.conf.all.shared_media\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_net_ipv4_conf_all_shared_media\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_shared_media_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*net.ipv4.conf.all.shared_media.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_shared_media\\n\\n- name: Comment out any occurrences of net.ipv4.conf.all.shared_media from config\\n files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*net.ipv4.conf.all.shared_media\\n replace: '#net.ipv4.conf.all.shared_media'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_shared_media\\n- name: XCCDF Value sysctl_net_ipv4_conf_all_shared_media_value # promote to variable\\n set_fact:\\n sysctl_net_ipv4_conf_all_shared_media_value: !!strtags:\\n - always\\n\\n- name: Ensure sysctl net.ipv4.conf.all.shared_media is set\\n sysctl:\\n name: net.ipv4.conf.all.shared_media\\n value: '{{ sysctl_net_ipv4_conf_all_shared_media_value }}'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_all_shared_media\",\n \"id\": \"sysctl_net_ipv4_conf_all_shared_media\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sysctl_net_ipv4_conf_all_shared_media_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_shared_media_value\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv4_conf_all_shared_media:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "group_id": "xccdf_org.ssgproject.content_group_network_host_and_router_parameters",
+ "group_title": "Network Related Kernel Runtime Parameters for Hosts and Routers",
+ "group_description": "Certain kernel parameters should be set for systems which are\nacting as either hosts or routers to improve the system's ability defend\nagainst certain types of IPv4 protocol attacks.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sysctl_net_ipv4_conf_default_shared_media_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_shared_media_value\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv4_conf_default_shared_media:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv4_conf_default_shared_media_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "net.ipv4.conf.default.shared_media",
+ "lang": "en-US"
+ },
+ "description": "Controls whether the system can send(router) or accept(host) RFC1620 shared media redirects.for the interface will be enabled if at least one of conf/{all,interface}/shared_media\nis set to TRUE, it will be disabled otherwise.",
+ "value": [
+ "0",
+ {
+ "text": "0",
+ "selector": "disabled"
+ },
+ {
+ "text": "1",
+ "selector": "enabled"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_shared_media_value",
+ "type": "number"
+ }
+ ]
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Configure Sending and Accepting Shared Media Redirects by Default",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media",
+ "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "descriptions": [
+ {
+ "data": "This setting should be aligned withbecause it overrides it.\nIfis enabled for an interfacewill be enabled too.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure Sending and Accepting Shared Media Redirects by Default\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"net.ipv4.conf.default.shared_media\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_shared_media_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"$ sudo sysctl -w net.ipv4.conf.default.shared_media=\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_shared_media_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"net.ipv4.conf.default.shared_media =\"\n }\n ],\n \"text\": \"To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"code\": [\n \"net.ipv4.conf.default.secure_redirects\",\n \"shared_media\",\n \"secure_redirects\"\n ],\n \"text\": \"This setting should be aligned withbecause it overrides it.\\nIfis enabled for an interfacewill be enabled too.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_shared_media_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of net.ipv4.conf.default.shared_media from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*net.ipv4.conf.default.shared_media.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"net.ipv4.conf.default.shared_media\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\nsysctl_net_ipv4_conf_default_shared_media_value=''\\n\\n\\n#\\n# Set runtime for net.ipv4.conf.default.shared_media\\n#\\n/sbin/sysctl -q -n -w net.ipv4.conf.default.shared_media=\\\"$sysctl_net_ipv4_conf_default_shared_media_value\\\"\\n\\n#\\n# If net.ipv4.conf.default.shared_media present in /etc/sysctl.conf, change value to appropriate value\\n#\\telse, add \\\"net.ipv4.conf.default.shared_media = value\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^net.ipv4.conf.default.shared_media\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$sysctl_net_ipv4_conf_default_shared_media_value\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^net.ipv4.conf.default.shared_media\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^net.ipv4.conf.default.shared_media\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_net_ipv4_conf_default_shared_media\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_shared_media_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*net.ipv4.conf.default.shared_media.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_default_shared_media\\n\\n- name: Comment out any occurrences of net.ipv4.conf.default.shared_media from config\\n files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*net.ipv4.conf.default.shared_media\\n replace: '#net.ipv4.conf.default.shared_media'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_default_shared_media\\n- name: XCCDF Value sysctl_net_ipv4_conf_default_shared_media_value # promote to variable\\n set_fact:\\n sysctl_net_ipv4_conf_default_shared_media_value: !!strtags:\\n - always\\n\\n- name: Ensure sysctl net.ipv4.conf.default.shared_media is set\\n sysctl:\\n name: net.ipv4.conf.default.shared_media\\n value: '{{ sysctl_net_ipv4_conf_default_shared_media_value }}'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_net_ipv4_conf_default_shared_media\",\n \"id\": \"sysctl_net_ipv4_conf_default_shared_media\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sysctl_net_ipv4_conf_default_shared_media_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_shared_media_value\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_net_ipv4_conf_default_shared_media:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_net_ipv4_conf_default_shared_media_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002314"
+ ],
+ "nist": [
+ "AC-17 (1)"
+ ],
+ "severity": "medium",
+ "description": "Theservice can be enabled with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_network-ufw",
+ "group_title": "Uncomplicated Firewall (ufw)",
+ "group_description": "The Linux kernel in Ubuntu provides a packet filtering system called\nnetfilter, and the traditional interface for manipulating netfilter are\nthe iptables suite of commands. iptables provide a complete firewall\nsolution that is both highly configurable and highly flexible.\n\nBecoming proficient in iptables takes time, and getting started with\nnetfilter firewalling using only iptables can be a daunting task. As a\nresult, many frontends for iptables have been created over the years,\neach trying to achieve a different result and targeting a different\naudience.\n\nThe Uncomplicated Firewall (ufw) is a frontend for iptables and is\nparticularly well-suited for host-based firewalls. ufw provides a\nframework for managing netfilter, as well as a command-line interface\nfor manipulating the firewall. ufw aims to provide an easy to use\ninterface for people unfamiliar with firewall concepts, while at the\nsame time simplifies complicated iptables commands to help an\nadministrator who knows what he or she is doing. ufw is an upstream\nfor other distributions and graphical frontends.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_ufw_enabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_ufw_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_ufw_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-002314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000297-GPOS-00115",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_ufw_enabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-002314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000297-GPOS-00115",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify ufw Enabled",
+ "id": "xccdf_org.ssgproject.content_rule_service_ufw_enabled",
+ "desc": "Theservice can be enabled with the following command:",
+ "descriptions": [
+ {
+ "data": "The ufw service must be enabled and running in order for ufw to protect the system",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify ufw Enabled\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"ufw\",\n \"pre\": \"$ sudo systemctl enable ufw.service\",\n \"text\": \"Theservice can be enabled with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-002314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000297-GPOS-00115\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"The ufw service must be enabled and running in order for ufw to protect the system\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" unmask 'ufw.service'\\n\\\"$SYSTEMCTL_EXEC\\\" start 'ufw.service'\\n\\\"$SYSTEMCTL_EXEC\\\" enable 'ufw.service'\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_ufw_enabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Enable service ufw\\n block:\\n\\n - name: Gather the package facts\\n package_facts:\\n manager: auto\\n\\n - name: Enable service ufw\\n service:\\n name: ufw\\n enabled: 'yes'\\n state: started\\n masked: 'no'\\n when:\\n - '\\\"ufw\\\" in ansible_facts.packages'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_ufw_enabled\",\n \"id\": \"service_ufw_enabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include enable_ufw\\n\\nclass enable_ufw {\\n service {'ufw':\\n enable => true,\\n ensure => 'running',\\n }\\n}\",\n \"id\": \"service_ufw_enabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[customizations.services]\\nenabled = [\\\"ufw\\\"]\",\n \"id\": \"service_ufw_enabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_ufw_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_ufw_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_service_ufw_enabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice can be enabled with the following command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "low",
+ "description": "The Reliable Datagram Sockets (RDS) protocol is a transport\nlayer protocol designed to provide reliable high-bandwidth,\nlow-latency communications between nodes in a cluster.\n\nTo configure the system to prevent thekernel module from being loaded, add the following line to the file:",
+ "group_id": "xccdf_org.ssgproject.content_group_network-uncommon",
+ "group_title": "Uncommon Network Protocols",
+ "group_description": "The system includes support for several network protocols which are not commonly used.\nAlthough security vulnerabilities in kernel networking code are not frequently discovered,\nthe consequences can be dramatic. Ensuring uncommon network protocols are disabled\nreduces the system's risk to attacks targeted at its implementation of those protocols.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_rds_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_module_rds_disabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable RDS Support",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled",
+ "desc": "The Reliable Datagram Sockets (RDS) protocol is a transport\nlayer protocol designed to provide reliable high-bandwidth,\nlow-latency communications between nodes in a cluster.\n\nTo configure the system to prevent thekernel module from being loaded, add the following line to the file:",
+ "descriptions": [
+ {
+ "data": "Disabling RDS protects\nthe system against exploitation of any flaws in its implementation.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable RDS Support\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"rds\",\n \"/etc/modprobe.d/rds.conf\"\n ],\n \"pre\": \"install rds /bin/true\",\n \"text\": \"The Reliable Datagram Sockets (RDS) protocol is a transport\\nlayer protocol designed to provide reliable high-bandwidth,\\nlow-latency communications between nodes in a cluster.\\n\\nTo configure the system to prevent thekernel module from being loaded, add the following line to the file:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Disabling RDS protects\\nthe system against exploitation of any flaws in its implementation.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif LC_ALL=C grep -q -m 1 \\\"^install rds\\\" /etc/modprobe.d/rds.conf ; then\\n\\t\\n\\tsed -i 's#^install rds.*#install rds /bin/true#g' /etc/modprobe.d/rds.conf\\nelse\\n\\techo -e \\\"\\\\n# Disable per security requirements\\\" >> /etc/modprobe.d/rds.conf\\n\\techo \\\"install rds /bin/true\\\" >> /etc/modprobe.d/rds.conf\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"kernel_module_rds_disabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure kernel module 'rds' is disabled\\n lineinfile:\\n create: true\\n dest: /etc/modprobe.d/rds.conf\\n regexp: rds\\n line: install rds /bin/true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - kernel_module_rds_disabled\\n - low_complexity\\n - low_severity\\n - medium_disruption\\n - reboot_required\",\n \"id\": \"kernel_module_rds_disabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_rds_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_module_rds_disabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The Reliable Datagram Sockets (RDS) protocol is a transport\nlayer protocol designed to provide reliable high-bandwidth,\nlow-latency communications between nodes in a cluster.\n\nTo configure the system to prevent thekernel module from being loaded, add the following line to the file:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000381"
+ ],
+ "nist": [
+ "CM-7 a",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "low",
+ "description": "The Transparent Inter-Process Communication (TIPC) protocol\nis designed to provide communications between nodes in a\ncluster.\n\nTo configure the system to prevent thekernel module from being loaded, add the following line to the file:",
+ "group_id": "xccdf_org.ssgproject.content_group_network-uncommon",
+ "group_title": "Uncommon Network Protocols",
+ "group_description": "The system includes support for several network protocols which are not commonly used.\nAlthough security vulnerabilities in kernel networking code are not frequently discovered,\nthe consequences can be dramatic. Ensuring uncommon network protocols are disabled\nreduces the system's risk to attacks targeted at its implementation of those protocols.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_tipc_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_module_tipc_disabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000381",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FMT_SMF_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000095-GPOS-00049",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000381",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FMT_SMF_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000095-GPOS-00049",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable TIPC Support",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled",
+ "desc": "The Transparent Inter-Process Communication (TIPC) protocol\nis designed to provide communications between nodes in a\ncluster.\n\nTo configure the system to prevent thekernel module from being loaded, add the following line to the file:",
+ "descriptions": [
+ {
+ "data": "Disabling TIPC protects\nthe system against exploitation of any flaws in its implementation.",
+ "label": "rationale"
+ },
+ {
+ "data": "This configuration baseline was created to deploy the base operating system for general purpose\nworkloads. When the operating system is configured for certain purposes, such as\na node in High Performance Computing cluster, it is expected that\nthekernel module will be loaded.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable TIPC Support\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"tipc\",\n \"/etc/modprobe.d/tipc.conf\"\n ],\n \"pre\": \"install tipc /bin/true\",\n \"text\": \"The Transparent Inter-Process Communication (TIPC) protocol\\nis designed to provide communications between nodes in a\\ncluster.\\n\\nTo configure the system to prevent thekernel module from being loaded, add the following line to the file:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"code\": \"tipc\",\n \"text\": \"This configuration baseline was created to deploy the base operating system for general purpose\\nworkloads. When the operating system is configured for certain purposes, such as\\na node in High Performance Computing cluster, it is expected that\\nthekernel module will be loaded.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000381\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FMT_SMF_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000095-GPOS-00049\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Disabling TIPC protects\\nthe system against exploitation of any flaws in its implementation.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif LC_ALL=C grep -q -m 1 \\\"^install tipc\\\" /etc/modprobe.d/tipc.conf ; then\\n\\t\\n\\tsed -i 's#^install tipc.*#install tipc /bin/true#g' /etc/modprobe.d/tipc.conf\\nelse\\n\\techo -e \\\"\\\\n# Disable per security requirements\\\" >> /etc/modprobe.d/tipc.conf\\n\\techo \\\"install tipc /bin/true\\\" >> /etc/modprobe.d/tipc.conf\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"kernel_module_tipc_disabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure kernel module 'tipc' is disabled\\n lineinfile:\\n create: true\\n dest: /etc/modprobe.d/tipc.conf\\n regexp: tipc\\n line: install tipc /bin/true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - kernel_module_tipc_disabled\\n - low_complexity\\n - low_severity\\n - medium_disruption\\n - reboot_required\",\n \"id\": \"kernel_module_tipc_disabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_tipc_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_module_tipc_disabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The Transparent Inter-Process Communication (TIPC) protocol\nis designed to provide communications between nodes in a\ncluster.\n\nTo configure the system to prevent thekernel module from being loaded, add the following line to the file:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the group owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_backup_etc_group:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-6 (1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_groupowner_backup_etc_group:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-6 (1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Group Who Owns Backup group File",
+ "id": "xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group",
+ "desc": "To properly set the group owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile is a backup file of, and as such,\nit contains information regarding groups that are configured on the system.\nProtection of this file is important for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Group Who Owns Backup group File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/group-\",\n \"pre\": \"$ sudo chgrp root /etc/group-\",\n \"text\": \"To properly set the group owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-6 (1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/etc/group-\",\n \"/etc/group\"\n ],\n \"text\": \"Thefile is a backup file of, and as such,\\nit contains information regarding groups that are configured on the system.\\nProtection of this file is important for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chgrp 0 /etc/group-\",\n \"id\": \"file_groupowner_backup_etc_group\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/group-\\n stat:\\n path: /etc/group-\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_groupowner_backup_etc_group\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure group owner 0 on /etc/group-\\n file:\\n path: /etc/group-\\n group: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_groupowner_backup_etc_group\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_groupowner_backup_etc_group\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_backup_etc_group:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the group owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the group owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_backup_etc_gshadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-6 (1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_groupowner_backup_etc_gshadow:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-6 (1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Group Who Owns Backup gshadow File",
+ "id": "xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow",
+ "desc": "To properly set the group owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile is a backup of, and as such,\nit contains group password hashes. Protection of this file is critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Group Who Owns Backup gshadow File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/gshadow-\",\n \"pre\": \"$ sudo chgrp shadow /etc/gshadow-\",\n \"text\": \"To properly set the group owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-6 (1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/etc/gshadow-\",\n \"/etc/gshadow\"\n ],\n \"text\": \"Thefile is a backup of, and as such,\\nit contains group password hashes. Protection of this file is critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chgrp 42 /etc/gshadow-\",\n \"id\": \"file_groupowner_backup_etc_gshadow\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/gshadow-\\n stat:\\n path: /etc/gshadow-\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_groupowner_backup_etc_gshadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure group owner 42 on /etc/gshadow-\\n file:\\n path: /etc/gshadow-\\n group: '42'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_groupowner_backup_etc_gshadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_groupowner_backup_etc_gshadow\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_backup_etc_gshadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the group owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the group owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_backup_etc_passwd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_backup_etc_passwd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-6 (1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_groupowner_backup_etc_passwd:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-6 (1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Group Who Owns Backup passwd File",
+ "id": "xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd",
+ "desc": "To properly set the group owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile is a backup file of, and as such,\nit contains information about the users that are configured on the system.\nProtection of this file is critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Group Who Owns Backup passwd File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/passwd-\",\n \"pre\": \"$ sudo chgrp root /etc/passwd-\",\n \"text\": \"To properly set the group owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-6 (1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/etc/passwd-\",\n \"/etc/passwd\"\n ],\n \"text\": \"Thefile is a backup file of, and as such,\\nit contains information about the users that are configured on the system.\\nProtection of this file is critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chgrp 0 /etc/passwd-\",\n \"id\": \"file_groupowner_backup_etc_passwd\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/passwd-\\n stat:\\n path: /etc/passwd-\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_groupowner_backup_etc_passwd\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure group owner 0 on /etc/passwd-\\n file:\\n path: /etc/passwd-\\n group: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_groupowner_backup_etc_passwd\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_groupowner_backup_etc_passwd\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_backup_etc_passwd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_backup_etc_passwd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the group owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "To properly set the group owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_backup_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_backup_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_groupowner_backup_etc_shadow:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os",
+ "ref": [
+ {
+ "text": "SRG-OS-000480-GPOS-00227"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Verify User Who Owns Backup shadow File",
+ "id": "xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow",
+ "desc": "To properly set the group owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile is a backup file of, and as such,\nit contains the list of local system accounts and password hashes.\nProtection of this file is critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify User Who Owns Backup shadow File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/shadow-\",\n \"pre\": \"$ sudo chgrp shadow /etc/shadow-\",\n \"text\": \"To properly set the group owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n \"rationale\": {\n \"code\": [\n \"/etc/shadow-\",\n \"/etc/shadow\"\n ],\n \"text\": \"Thefile is a backup file of, and as such,\\nit contains the list of local system accounts and password hashes.\\nProtection of this file is critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chgrp 42 /etc/shadow-\",\n \"id\": \"file_groupowner_backup_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/shadow-\\n stat:\\n path: /etc/shadow-\\n register: file_exists\\n tags:\\n - configure_strategy\\n - file_groupowner_backup_etc_shadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure group owner 42 on /etc/shadow-\\n file:\\n path: /etc/shadow-\\n group: '42'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - configure_strategy\\n - file_groupowner_backup_etc_shadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_groupowner_backup_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_backup_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_backup_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the group owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the group owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_groupowner_etc_group",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_etc_group:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_etc_group_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.7.c",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_groupowner_etc_group:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_groupowner_etc_group",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.7.c",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Group Who Owns group File",
+ "id": "xccdf_org.ssgproject.content_rule_file_groupowner_etc_group",
+ "desc": "To properly set the group owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains information regarding groups that are configured\non the system. Protection of this file is important for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Group Who Owns group File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/group\",\n \"pre\": \"$ sudo chgrp root /etc/group\",\n \"text\": \"To properly set the group owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.7.c\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/etc/group\",\n \"text\": \"Thefile contains information regarding groups that are configured\\non the system. Protection of this file is important for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chgrp 0 /etc/group\",\n \"id\": \"file_groupowner_etc_group\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/group\\n stat:\\n path: /etc/group\\n register: file_exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_groupowner_etc_group\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure group owner 0 on /etc/group\\n file:\\n path: /etc/group\\n group: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_groupowner_etc_group\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_groupowner_etc_group\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_etc_group:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_etc_group_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_groupowner_etc_group\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the group owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the group owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_etc_gshadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_etc_gshadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_groupowner_etc_gshadow:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Group Who Owns gshadow File",
+ "id": "xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow",
+ "desc": "To properly set the group owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains group password hashes. Protection of this file\nis critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Group Who Owns gshadow File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/gshadow\",\n \"pre\": \"$ sudo chgrp shadow /etc/gshadow\",\n \"text\": \"To properly set the group owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/etc/gshadow\",\n \"text\": \"Thefile contains group password hashes. Protection of this file\\nis critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chgrp 42 /etc/gshadow\",\n \"id\": \"file_groupowner_etc_gshadow\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/gshadow\\n stat:\\n path: /etc/gshadow\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_groupowner_etc_gshadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure group owner 42 on /etc/gshadow\\n file:\\n path: /etc/gshadow\\n group: '42'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_groupowner_etc_gshadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_groupowner_etc_gshadow\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_etc_gshadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_etc_gshadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the group owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the group owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_etc_passwd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_etc_passwd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.7.c",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_groupowner_etc_passwd:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.7.c",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Group Who Owns passwd File",
+ "id": "xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd",
+ "desc": "To properly set the group owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains information about the users that are configured on\nthe system. Protection of this file is critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Group Who Owns passwd File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/passwd\",\n \"pre\": \"$ sudo chgrp root /etc/passwd\",\n \"text\": \"To properly set the group owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.7.c\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/etc/passwd\",\n \"text\": \"Thefile contains information about the users that are configured on\\nthe system. Protection of this file is critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chgrp 0 /etc/passwd\",\n \"id\": \"file_groupowner_etc_passwd\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/passwd\\n stat:\\n path: /etc/passwd\\n register: file_exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_groupowner_etc_passwd\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure group owner 0 on /etc/passwd\\n file:\\n path: /etc/passwd\\n group: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_groupowner_etc_passwd\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_groupowner_etc_passwd\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_etc_passwd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_etc_passwd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the group owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the group owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.7.c",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_groupowner_etc_shadow:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.7.c",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Group Who Owns shadow File",
+ "id": "xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow",
+ "desc": "To properly set the group owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile stores password hashes. Protection of this file is\ncritical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Group Who Owns shadow File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/shadow\",\n \"pre\": \"$ sudo chgrp shadow /etc/shadow\",\n \"text\": \"To properly set the group owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.7.c\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/etc/shadow\",\n \"text\": \"Thefile stores password hashes. Protection of this file is\\ncritical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chgrp 42 /etc/shadow\",\n \"id\": \"file_groupowner_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/shadow\\n stat:\\n path: /etc/shadow\\n register: file_exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_groupowner_etc_shadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure group owner 42 on /etc/shadow\\n file:\\n path: /etc/shadow\\n group: '42'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_groupowner_etc_shadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_groupowner_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the group owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_backup_etc_group:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_backup_etc_group_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-6 (1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_owner_backup_etc_group:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-6 (1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify User Who Owns Backup group File",
+ "id": "xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group",
+ "desc": "To properly set the owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile is a backup file of, and as such,\nit contains information regarding groups that are configured on the system.\nProtection of this file is important for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify User Who Owns Backup group File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/group-\",\n \"pre\": \"$ sudo chown root /etc/group-\",\n \"text\": \"To properly set the owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-6 (1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/etc/group-\",\n \"/etc/group\"\n ],\n \"text\": \"Thefile is a backup file of, and as such,\\nit contains information regarding groups that are configured on the system.\\nProtection of this file is important for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chown 0 /etc/group-\",\n \"id\": \"file_owner_backup_etc_group\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/group-\\n stat:\\n path: /etc/group-\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_owner_backup_etc_group\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner 0 on /etc/group-\\n file:\\n path: /etc/group-\\n owner: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_owner_backup_etc_group\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_owner_backup_etc_group\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_backup_etc_group:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_backup_etc_group_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_backup_etc_gshadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-6 (1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_owner_backup_etc_gshadow:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-6 (1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify User Who Owns Backup gshadow File",
+ "id": "xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow",
+ "desc": "To properly set the owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile is a backup of, and as such,\nit contains group password hashes. Protection of this file is critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify User Who Owns Backup gshadow File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/gshadow-\",\n \"pre\": \"$ sudo chown root /etc/gshadow-\",\n \"text\": \"To properly set the owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-6 (1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/etc/gshadow-\",\n \"/etc/gshadow\"\n ],\n \"text\": \"Thefile is a backup of, and as such,\\nit contains group password hashes. Protection of this file is critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chown 0 /etc/gshadow-\",\n \"id\": \"file_owner_backup_etc_gshadow\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/gshadow-\\n stat:\\n path: /etc/gshadow-\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_owner_backup_etc_gshadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner 0 on /etc/gshadow-\\n file:\\n path: /etc/gshadow-\\n owner: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_owner_backup_etc_gshadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_owner_backup_etc_gshadow\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_backup_etc_gshadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_backup_etc_passwd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_backup_etc_passwd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-6 (1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_owner_backup_etc_passwd:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-6 (1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify User Who Owns Backup passwd File",
+ "id": "xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd",
+ "desc": "To properly set the owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile is a backup file of, and as such,\nit contains information about the users that are configured on the system.\nProtection of this file is critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify User Who Owns Backup passwd File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/passwd-\",\n \"pre\": \"$ sudo chown root /etc/passwd-\",\n \"text\": \"To properly set the owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-6 (1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/etc/passwd-\",\n \"/etc/passwd\"\n ],\n \"text\": \"Thefile is a backup file of, and as such,\\nit contains information about the users that are configured on the system.\\nProtection of this file is critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chown 0 /etc/passwd-\",\n \"id\": \"file_owner_backup_etc_passwd\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/passwd-\\n stat:\\n path: /etc/passwd-\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_owner_backup_etc_passwd\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner 0 on /etc/passwd-\\n file:\\n path: /etc/passwd-\\n owner: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_owner_backup_etc_passwd\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_owner_backup_etc_passwd\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_backup_etc_passwd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_backup_etc_passwd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_backup_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_backup_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-6 (1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_owner_backup_etc_shadow:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-6 (1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Group Who Owns Backup shadow File",
+ "id": "xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow",
+ "desc": "To properly set the owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile is a backup file of, and as such,\nit contains the list of local system accounts and password hashes.\nProtection of this file is critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Group Who Owns Backup shadow File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/shadow-\",\n \"pre\": \"$ sudo chown root /etc/shadow-\",\n \"text\": \"To properly set the owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-6 (1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/etc/shadow-\",\n \"/etc/shadow\"\n ],\n \"text\": \"Thefile is a backup file of, and as such,\\nit contains the list of local system accounts and password hashes.\\nProtection of this file is critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chown 0 /etc/shadow-\",\n \"id\": \"file_owner_backup_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/shadow-\\n stat:\\n path: /etc/shadow-\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_owner_backup_etc_shadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner 0 on /etc/shadow-\\n file:\\n path: /etc/shadow-\\n owner: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_owner_backup_etc_shadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_owner_backup_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_backup_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_backup_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_owner_etc_group",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_etc_group:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_etc_group_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.7.c",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_owner_etc_group:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_owner_etc_group",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.7.c",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify User Who Owns group File",
+ "id": "xccdf_org.ssgproject.content_rule_file_owner_etc_group",
+ "desc": "To properly set the owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains information regarding groups that are configured\non the system. Protection of this file is important for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify User Who Owns group File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/group\",\n \"pre\": \"$ sudo chown root /etc/group\",\n \"text\": \"To properly set the owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.7.c\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/etc/group\",\n \"text\": \"Thefile contains information regarding groups that are configured\\non the system. Protection of this file is important for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chown 0 /etc/group\",\n \"id\": \"file_owner_etc_group\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/group\\n stat:\\n path: /etc/group\\n register: file_exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_owner_etc_group\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner 0 on /etc/group\\n file:\\n path: /etc/group\\n owner: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_owner_etc_group\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_owner_etc_group\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_etc_group:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_etc_group_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_owner_etc_group\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_etc_gshadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_etc_gshadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R36)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_owner_etc_gshadow:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R36)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify User Who Owns gshadow File",
+ "id": "xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow",
+ "desc": "To properly set the owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains group password hashes. Protection of this file\nis critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify User Who Owns gshadow File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/gshadow\",\n \"pre\": \"$ sudo chown root /etc/gshadow\",\n \"text\": \"To properly set the owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R36)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/etc/gshadow\",\n \"text\": \"Thefile contains group password hashes. Protection of this file\\nis critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chown 0 /etc/gshadow\",\n \"id\": \"file_owner_etc_gshadow\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/gshadow\\n stat:\\n path: /etc/gshadow\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_owner_etc_gshadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner 0 on /etc/gshadow\\n file:\\n path: /etc/gshadow\\n owner: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_owner_etc_gshadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_owner_etc_gshadow\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_etc_gshadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_etc_gshadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_owner_etc_passwd",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_etc_passwd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_etc_passwd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.7.c",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_owner_etc_passwd:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_owner_etc_passwd",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.7.c",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify User Who Owns passwd File",
+ "id": "xccdf_org.ssgproject.content_rule_file_owner_etc_passwd",
+ "desc": "To properly set the owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains information about the users that are configured on\nthe system. Protection of this file is critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify User Who Owns passwd File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/passwd\",\n \"pre\": \"$ sudo chown root /etc/passwd\",\n \"text\": \"To properly set the owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.7.c\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/etc/passwd\",\n \"text\": \"Thefile contains information about the users that are configured on\\nthe system. Protection of this file is critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chown 0 /etc/passwd\",\n \"id\": \"file_owner_etc_passwd\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/passwd\\n stat:\\n path: /etc/passwd\\n register: file_exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_owner_etc_passwd\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner 0 on /etc/passwd\\n file:\\n path: /etc/passwd\\n owner: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_owner_etc_passwd\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_owner_etc_passwd\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_etc_passwd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_etc_passwd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_owner_etc_passwd\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_owner_etc_shadow",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R36)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.7.c",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_owner_etc_shadow:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_owner_etc_shadow",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R36)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.7.c",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify User Who Owns shadow File",
+ "id": "xccdf_org.ssgproject.content_rule_file_owner_etc_shadow",
+ "desc": "To properly set the owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains the list of local\nsystem accounts and stores password hashes. Protection of this file is\ncritical for system security. Failure to give ownership of this file\nto root provides the designated owner with access to sensitive information\nwhich could weaken the system security posture.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify User Who Owns shadow File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/shadow\",\n \"pre\": \"$ sudo chown root /etc/shadow\",\n \"text\": \"To properly set the owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R36)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.7.c\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/etc/shadow\",\n \"text\": \"Thefile contains the list of local\\nsystem accounts and stores password hashes. Protection of this file is\\ncritical for system security. Failure to give ownership of this file\\nto root provides the designated owner with access to sensitive information\\nwhich could weaken the system security posture.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chown 0 /etc/shadow\",\n \"id\": \"file_owner_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/shadow\\n stat:\\n path: /etc/shadow\\n register: file_exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_owner_etc_shadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner 0 on /etc/shadow\\n file:\\n path: /etc/shadow\\n owner: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_owner_etc_shadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_owner_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_owner_etc_shadow\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the permissions of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_backup_etc_group:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_backup_etc_group_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-6 (1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_permissions_backup_etc_group:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-6 (1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Permissions on Backup group File",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group",
+ "desc": "To properly set the permissions of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile is a backup file of, and as such,\nit contains information regarding groups that are configured on the system.\nProtection of this file is important for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Permissions on Backup group File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/group-\",\n \"pre\": \"$ sudo chmod 0644 /etc/group-\",\n \"text\": \"To properly set the permissions of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-6 (1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/etc/group-\",\n \"/etc/group\"\n ],\n \"text\": \"Thefile is a backup file of, and as such,\\nit contains information regarding groups that are configured on the system.\\nProtection of this file is important for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chmod u-xs,g-xws,o-xwt /etc/group-\",\n \"id\": \"file_permissions_backup_etc_group\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/group-\\n stat:\\n path: /etc/group-\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_permissions_backup_etc_group\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure permission u-xs,g-xws,o-xwt on /etc/group-\\n file:\\n path: /etc/group-\\n mode: u-xs,g-xws,o-xwt\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_permissions_backup_etc_group\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_backup_etc_group\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_backup_etc_group:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_backup_etc_group_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the permissions of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the permissions of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_backup_etc_gshadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_backup_etc_gshadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-6 (1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_permissions_backup_etc_gshadow:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-6 (1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Permissions on Backup gshadow File",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow",
+ "desc": "To properly set the permissions of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile is a backup of, and as such,\nit contains group password hashes. Protection of this file is critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Permissions on Backup gshadow File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/gshadow-\",\n \"pre\": \"$ sudo chmod 0640 /etc/gshadow-\",\n \"text\": \"To properly set the permissions of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-6 (1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/etc/gshadow-\",\n \"/etc/gshadow\"\n ],\n \"text\": \"Thefile is a backup of, and as such,\\nit contains group password hashes. Protection of this file is critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chmod u-xs,g-xws,o-xwrt /etc/gshadow-\",\n \"id\": \"file_permissions_backup_etc_gshadow\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/gshadow-\\n stat:\\n path: /etc/gshadow-\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_permissions_backup_etc_gshadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/gshadow-\\n file:\\n path: /etc/gshadow-\\n mode: u-xs,g-xws,o-xwrt\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_permissions_backup_etc_gshadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_backup_etc_gshadow\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_backup_etc_gshadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_backup_etc_gshadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the permissions of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the permissions of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_backup_etc_passwd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_backup_etc_passwd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-6 (1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_permissions_backup_etc_passwd:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-6 (1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Permissions on Backup passwd File",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd",
+ "desc": "To properly set the permissions of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile is a backup file of, and as such,\nit contains information about the users that are configured on the system.\nProtection of this file is critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Permissions on Backup passwd File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/passwd-\",\n \"pre\": \"$ sudo chmod 0644 /etc/passwd-\",\n \"text\": \"To properly set the permissions of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-6 (1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/etc/passwd-\",\n \"/etc/passwd\"\n ],\n \"text\": \"Thefile is a backup file of, and as such,\\nit contains information about the users that are configured on the system.\\nProtection of this file is critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chmod u-xs,g-xws,o-xwt /etc/passwd-\",\n \"id\": \"file_permissions_backup_etc_passwd\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/passwd-\\n stat:\\n path: /etc/passwd-\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_permissions_backup_etc_passwd\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure permission u-xs,g-xws,o-xwt on /etc/passwd-\\n file:\\n path: /etc/passwd-\\n mode: u-xs,g-xws,o-xwt\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_permissions_backup_etc_passwd\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_backup_etc_passwd\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_backup_etc_passwd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_backup_etc_passwd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the permissions of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the permissions of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_backup_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AC-6 (1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_permissions_backup_etc_shadow:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AC-6 (1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Permissions on Backup shadow File",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow",
+ "desc": "To properly set the permissions of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile is a backup file of, and as such,\nit contains the list of local system accounts and password hashes.\nProtection of this file is critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Permissions on Backup shadow File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/shadow-\",\n \"pre\": \"$ sudo chmod 0640 /etc/shadow-\",\n \"text\": \"To properly set the permissions of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AC-6 (1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/etc/shadow-\",\n \"/etc/shadow\"\n ],\n \"text\": \"Thefile is a backup file of, and as such,\\nit contains the list of local system accounts and password hashes.\\nProtection of this file is critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chmod u-xs,g-xws,o-xwrt /etc/shadow-\",\n \"id\": \"file_permissions_backup_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/shadow-\\n stat:\\n path: /etc/shadow-\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_permissions_backup_etc_shadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/shadow-\\n file:\\n path: /etc/shadow-\\n mode: u-xs,g-xws,o-xwrt\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6 (1)\\n - configure_strategy\\n - file_permissions_backup_etc_shadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_backup_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_backup_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the permissions of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the permissions of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_etc_group",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_etc_group:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_etc_group_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R36)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.7.c",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_permissions_etc_group:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_etc_group",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R36)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.7.c",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Permissions on group File",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_etc_group",
+ "desc": "To properly set the permissions of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains information regarding groups that are configured\non the system. Protection of this file is important for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Permissions on group File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/passwd\",\n \"pre\": \"$ sudo chmod 0644 /etc/passwd\",\n \"text\": \"To properly set the permissions of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R36)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.7.c\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/etc/group\",\n \"text\": \"Thefile contains information regarding groups that are configured\\non the system. Protection of this file is important for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chmod u-xs,g-xws,o-xwt /etc/group\",\n \"id\": \"file_permissions_etc_group\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/group\\n stat:\\n path: /etc/group\\n register: file_exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_permissions_etc_group\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure permission u-xs,g-xws,o-xwt on /etc/group\\n file:\\n path: /etc/group\\n mode: u-xs,g-xws,o-xwt\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_permissions_etc_group\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_etc_group\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_etc_group:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_etc_group_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_etc_group\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the permissions of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the permissions of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_etc_gshadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_etc_gshadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R36)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_permissions_etc_gshadow:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R36)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Permissions on gshadow File",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow",
+ "desc": "To properly set the permissions of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains group password hashes. Protection of this file\nis critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Permissions on gshadow File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/gshadow\",\n \"pre\": \"$ sudo chmod 0640 /etc/gshadow\",\n \"text\": \"To properly set the permissions of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R36)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/etc/gshadow\",\n \"text\": \"Thefile contains group password hashes. Protection of this file\\nis critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chmod u-xs,g-xws,o-xwrt /etc/gshadow\",\n \"id\": \"file_permissions_etc_gshadow\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/gshadow\\n stat:\\n path: /etc/gshadow\\n register: file_exists\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_permissions_etc_gshadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/gshadow\\n file:\\n path: /etc/gshadow\\n mode: u-xs,g-xws,o-xwrt\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_permissions_etc_gshadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_etc_gshadow\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_etc_gshadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_etc_gshadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the permissions of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the permissions of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_etc_passwd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_etc_passwd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R36)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.7.c",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_permissions_etc_passwd:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R36)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.7.c",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Permissions on passwd File",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd",
+ "desc": "To properly set the permissions of, run the command:",
+ "descriptions": [
+ {
+ "data": "If thefile is writable by a group-owner or the\nworld the risk of its compromise is increased. The file contains the list of\naccounts on the system and associated information, and protection of this file\nis critical for system security.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Permissions on passwd File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/passwd\",\n \"pre\": \"$ sudo chmod 0644 /etc/passwd\",\n \"text\": \"To properly set the permissions of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R36)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.7.c\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/etc/passwd\",\n \"text\": \"If thefile is writable by a group-owner or the\\nworld the risk of its compromise is increased. The file contains the list of\\naccounts on the system and associated information, and protection of this file\\nis critical for system security.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chmod u-xs,g-xws,o-xwt /etc/passwd\",\n \"id\": \"file_permissions_etc_passwd\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/passwd\\n stat:\\n path: /etc/passwd\\n register: file_exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_permissions_etc_passwd\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure permission u-xs,g-xws,o-xwt on /etc/passwd\\n file:\\n path: /etc/passwd\\n mode: u-xs,g-xws,o-xwt\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_permissions_etc_passwd\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_etc_passwd\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_etc_passwd:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_etc_passwd_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the permissions of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002223"
+ ],
+ "nist": [
+ "AC-6 (1) (b)",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the permissions of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_important_account_files",
+ "group_title": "Verify Permissions on Files with Local Account Information and Credentials",
+ "group_description": "The default restrictive permissions for files which act as\nimportant security databases such as,,, andfiles must be maintained. Many utilities\nneed read access to thefile in order to function properly, but\nread access to thefile allows malicious attacks against system\npasswords, and should never be enabled.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R36)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.2.2",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-002223",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.7.c",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_permissions_etc_shadow:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R36)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.2.2",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-002223",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.7.c",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Permissions on shadow File",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow",
+ "desc": "To properly set the permissions of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains the list of local\nsystem accounts and stores password hashes. Protection of this file is\ncritical for system security. Failure to give ownership of this file\nto root provides the designated owner with access to sensitive information\nwhich could weaken the system security posture.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Permissions on shadow File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/shadow\",\n \"pre\": \"$ sudo chmod 0640 /etc/shadow\",\n \"text\": \"To properly set the permissions of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R36)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.2.2\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-002223\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.7.c\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/etc/shadow\",\n \"text\": \"Thefile contains the list of local\\nsystem accounts and stores password hashes. Protection of this file is\\ncritical for system security. Failure to give ownership of this file\\nto root provides the designated owner with access to sensitive information\\nwhich could weaken the system security posture.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chmod u-xs,g-xws,o-xwrt /etc/shadow\",\n \"id\": \"file_permissions_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /etc/shadow\\n stat:\\n path: /etc/shadow\\n register: file_exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_permissions_etc_shadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/shadow\\n file:\\n path: /etc/shadow\\n mode: u-xs,g-xws,o-xwrt\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - CJIS-5.5.2.2\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-8.7.c\\n - configure_strategy\\n - file_permissions_etc_shadow\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_etc_shadow\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_etc_shadow:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_etc_shadow_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "To properly set the permissions of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001314"
+ ],
+ "nist": [
+ "SI-11 b"
+ ],
+ "severity": "medium",
+ "description": "To properly set the group owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_var_log_dir",
+ "group_title": "Verify Permissions on Files within /var/log Directory",
+ "group_description": "Thedirectory contains files with logs of error\nmessages in the system and should only be accessed by authorized\npersonnel.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_groupowner_var_log",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_var_log:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_var_log_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000206-GPOS-00084",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_groupowner_var_log",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000206-GPOS-00084",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Group Who Owns /var/log Directory",
+ "id": "xccdf_org.ssgproject.content_rule_file_groupowner_var_log",
+ "desc": "To properly set the group owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thedirectory contains files with logs of error\nmessages in the system and should only be accessed by authorized\npersonnel.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Group Who Owns /var/log Directory\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/var/log\",\n \"pre\": \"$ sudo chgrp syslog /var/log\",\n \"text\": \"To properly set the group owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000206-GPOS-00084\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/var/log\",\n \"text\": \"Thedirectory contains files with logs of error\\nmessages in the system and should only be accessed by authorized\\npersonnel.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"find -H /var/log/ -maxdepth 1 -type d -exec chgrp 110 {} \\\\;\",\n \"id\": \"file_groupowner_var_log\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Ensure group owner on /var/log/\\n file:\\n path: /var/log/\\n state: directory\\n group: '110'\\n tags:\\n - configure_strategy\\n - file_groupowner_var_log\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_groupowner_var_log\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_var_log:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_var_log_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_groupowner_var_log\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To properly set the group owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001314"
+ ],
+ "nist": [
+ "SI-11 b"
+ ],
+ "severity": "medium",
+ "description": "To properly set the group owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_var_log_dir",
+ "group_title": "Verify Permissions on Files within /var/log Directory",
+ "group_description": "Thedirectory contains files with logs of error\nmessages in the system and should only be accessed by authorized\npersonnel.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_var_log_messages:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_var_log_messages_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000206-GPOS-00084",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000206-GPOS-00084",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Group Who Owns /var/log/messages File",
+ "id": "xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages",
+ "desc": "To properly set the group owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains logs of error messages in\nthe system and should only be accessed by authorized personnel.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Group Who Owns /var/log/messages File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/var/log/messages\",\n \"pre\": \"$ sudo chgrp root /var/log/messages\",\n \"text\": \"To properly set the group owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000206-GPOS-00084\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/var/log/messages\",\n \"text\": \"Thefile contains logs of error messages in\\nthe system and should only be accessed by authorized personnel.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chgrp 0 /var/log/messages\",\n \"id\": \"file_groupowner_var_log_messages\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /var/log/messages\\n stat:\\n path: /var/log/messages\\n register: file_exists\\n tags:\\n - configure_strategy\\n - file_groupowner_var_log_messages\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure group owner 0 on /var/log/messages\\n file:\\n path: /var/log/messages\\n group: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - configure_strategy\\n - file_groupowner_var_log_messages\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_groupowner_var_log_messages\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_var_log_messages:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_var_log_messages_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To properly set the group owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001314"
+ ],
+ "nist": [
+ "SI-11 b"
+ ],
+ "severity": "medium",
+ "description": "To properly set the group owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_var_log_dir",
+ "group_title": "Verify Permissions on Files within /var/log Directory",
+ "group_description": "Thedirectory contains files with logs of error\nmessages in the system and should only be accessed by authorized\npersonnel.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_var_log_syslog:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000206-GPOS-00084",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000206-GPOS-00084",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Group Who Owns /var/log/syslog File",
+ "id": "xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog",
+ "desc": "To properly set the group owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains logs of error messages in\nthe system and should only be accessed by authorized personnel.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Group Who Owns /var/log/syslog File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/var/log/syslog\",\n \"pre\": \"$ sudo chgrp adm /var/log/syslog\",\n \"text\": \"To properly set the group owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000206-GPOS-00084\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/var/log/syslog\",\n \"text\": \"Thefile contains logs of error messages in\\nthe system and should only be accessed by authorized personnel.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chgrp 4 /var/log/syslog\",\n \"id\": \"file_groupowner_var_log_syslog\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /var/log/syslog\\n stat:\\n path: /var/log/syslog\\n register: file_exists\\n tags:\\n - configure_strategy\\n - file_groupowner_var_log_syslog\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure group owner 4 on /var/log/syslog\\n file:\\n path: /var/log/syslog\\n group: '4'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - configure_strategy\\n - file_groupowner_var_log_syslog\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_groupowner_var_log_syslog\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_groupowner_var_log_syslog:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To properly set the group owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001314"
+ ],
+ "nist": [
+ "SI-11 b"
+ ],
+ "severity": "medium",
+ "description": "To properly set the owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_var_log_dir",
+ "group_title": "Verify Permissions on Files within /var/log Directory",
+ "group_description": "Thedirectory contains files with logs of error\nmessages in the system and should only be accessed by authorized\npersonnel.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_owner_var_log",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_var_log:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_var_log_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000206-GPOS-00084",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_owner_var_log",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000206-GPOS-00084",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify User Who Owns /var/log Directory",
+ "id": "xccdf_org.ssgproject.content_rule_file_owner_var_log",
+ "desc": "To properly set the owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thedirectory contains files with logs of error\nmessages in the system and should only be accessed by authorized\npersonnel.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify User Who Owns /var/log Directory\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/var/log\",\n \"pre\": \"$ sudo chown root /var/log\",\n \"text\": \"To properly set the owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000206-GPOS-00084\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/var/log\",\n \"text\": \"Thedirectory contains files with logs of error\\nmessages in the system and should only be accessed by authorized\\npersonnel.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"find -H /var/log/ -maxdepth 1 -type d -exec chown 0 {} \\\\;\",\n \"id\": \"file_owner_var_log\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Ensure owner on directory /var/log/\\n file:\\n path: /var/log/\\n state: directory\\n owner: '0'\\n tags:\\n - configure_strategy\\n - file_owner_var_log\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_owner_var_log\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_var_log:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_var_log_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_owner_var_log\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To properly set the owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001314"
+ ],
+ "nist": [
+ "SI-11 b"
+ ],
+ "severity": "medium",
+ "description": "To properly set the owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_var_log_dir",
+ "group_title": "Verify Permissions on Files within /var/log Directory",
+ "group_description": "Thedirectory contains files with logs of error\nmessages in the system and should only be accessed by authorized\npersonnel.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_owner_var_log_messages",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_var_log_messages:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000206-GPOS-00084",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_owner_var_log_messages",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000206-GPOS-00084",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify User Who Owns /var/log/messages File",
+ "id": "xccdf_org.ssgproject.content_rule_file_owner_var_log_messages",
+ "desc": "To properly set the owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains logs of error messages in\nthe system and should only be accessed by authorized personnel.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify User Who Owns /var/log/messages File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/var/log/messages\",\n \"pre\": \"$ sudo chown root /var/log/messages\",\n \"text\": \"To properly set the owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000206-GPOS-00084\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/var/log/messages\",\n \"text\": \"Thefile contains logs of error messages in\\nthe system and should only be accessed by authorized personnel.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chown 0 /var/log/messages\",\n \"id\": \"file_owner_var_log_messages\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /var/log/messages\\n stat:\\n path: /var/log/messages\\n register: file_exists\\n tags:\\n - configure_strategy\\n - file_owner_var_log_messages\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner 0 on /var/log/messages\\n file:\\n path: /var/log/messages\\n owner: '0'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - configure_strategy\\n - file_owner_var_log_messages\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_owner_var_log_messages\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_var_log_messages:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_owner_var_log_messages\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To properly set the owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001314"
+ ],
+ "nist": [
+ "SI-11 b"
+ ],
+ "severity": "medium",
+ "description": "To properly set the owner of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_var_log_dir",
+ "group_title": "Verify Permissions on Files within /var/log Directory",
+ "group_description": "Thedirectory contains files with logs of error\nmessages in the system and should only be accessed by authorized\npersonnel.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_var_log_syslog:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_var_log_syslog_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000206-GPOS-00084",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000206-GPOS-00084",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify User Who Owns /var/log/syslog File",
+ "id": "xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog",
+ "desc": "To properly set the owner of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains logs of error messages in\nthe system and should only be accessed by authorized personnel.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify User Who Owns /var/log/syslog File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/var/log/syslog\",\n \"pre\": \"$ sudo chown syslog /var/log/syslog\",\n \"text\": \"To properly set the owner of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000206-GPOS-00084\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/var/log/syslog\",\n \"text\": \"Thefile contains logs of error messages in\\nthe system and should only be accessed by authorized personnel.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chown 104 /var/log/syslog\",\n \"id\": \"file_owner_var_log_syslog\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /var/log/syslog\\n stat:\\n path: /var/log/syslog\\n register: file_exists\\n tags:\\n - configure_strategy\\n - file_owner_var_log_syslog\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner 104 on /var/log/syslog\\n file:\\n path: /var/log/syslog\\n owner: '104'\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - configure_strategy\\n - file_owner_var_log_syslog\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_owner_var_log_syslog\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_owner_var_log_syslog:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_owner_var_log_syslog_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To properly set the owner of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001314"
+ ],
+ "nist": [
+ "SI-11 b"
+ ],
+ "severity": "medium",
+ "description": "To properly set the permissions of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_var_log_dir",
+ "group_title": "Verify Permissions on Files within /var/log Directory",
+ "group_description": "Thedirectory contains files with logs of error\nmessages in the system and should only be accessed by authorized\npersonnel.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_var_log",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_var_log:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_var_log_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000206-GPOS-00084",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_var_log",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000206-GPOS-00084",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Permissions on /var/log Directory",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_var_log",
+ "desc": "To properly set the permissions of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thedirectory contains files with logs of error\nmessages in the system and should only be accessed by authorized\npersonnel.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Permissions on /var/log Directory\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/var/log\",\n \"pre\": \"$ sudo chmod 0755 /var/log\",\n \"text\": \"To properly set the permissions of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000206-GPOS-00084\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/var/log\",\n \"text\": \"Thedirectory contains files with logs of error\\nmessages in the system and should only be accessed by authorized\\npersonnel.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chmod 0755 /var/log/\\n\\nif grep -q \\\"^z \\\\/var\\\\/log \\\" /usr/lib/tmpfiles.d/00rsyslog.conf; then\\n sed -i --follow-symlinks \\\"s/\\\\(^z[[:space:]]\\\\+\\\\/var\\\\/log[[:space:]]\\\\+\\\\)\\\\(\\\\([[:digit:]]\\\\+\\\\)[^ $]*\\\\)/\\\\10755/\\\" /usr/lib/tmpfiles.d/00rsyslog.conf\\nfi\",\n \"id\": \"file_permissions_var_log\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Set permissions for /var/log/\\n file:\\n path: /var/log/\\n state: directory\\n mode: u-s,g-ws,o-wt\\n tags:\\n - configure_strategy\\n - file_permissions_var_log\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_var_log\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_var_log:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_var_log_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_var_log\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To properly set the permissions of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001314"
+ ],
+ "nist": [
+ "SI-11 b"
+ ],
+ "severity": "medium",
+ "description": "To properly set the permissions of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_var_log_dir",
+ "group_title": "Verify Permissions on Files within /var/log Directory",
+ "group_description": "Thedirectory contains files with logs of error\nmessages in the system and should only be accessed by authorized\npersonnel.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_var_log_messages:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_var_log_messages_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000206-GPOS-00084",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000206-GPOS-00084",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Permissions on /var/log/messages File",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages",
+ "desc": "To properly set the permissions of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains logs of error messages in\nthe system and should only be accessed by authorized personnel.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Permissions on /var/log/messages File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/var/log/messages\",\n \"pre\": \"$ sudo chmod 0640 /var/log/messages\",\n \"text\": \"To properly set the permissions of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000206-GPOS-00084\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/var/log/messages\",\n \"text\": \"Thefile contains logs of error messages in\\nthe system and should only be accessed by authorized personnel.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chmod u-xs,g-xws,o-xwrt /var/log/messages\",\n \"id\": \"file_permissions_var_log_messages\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /var/log/messages\\n stat:\\n path: /var/log/messages\\n register: file_exists\\n tags:\\n - configure_strategy\\n - file_permissions_var_log_messages\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure permission u-xs,g-xws,o-xwrt on /var/log/messages\\n file:\\n path: /var/log/messages\\n mode: u-xs,g-xws,o-xwrt\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - configure_strategy\\n - file_permissions_var_log_messages\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_var_log_messages\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_var_log_messages:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_var_log_messages_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To properly set the permissions of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001314"
+ ],
+ "nist": [
+ "SI-11 b"
+ ],
+ "severity": "medium",
+ "description": "To properly set the permissions of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_var_log_dir",
+ "group_title": "Verify Permissions on Files within /var/log Directory",
+ "group_description": "Thedirectory contains files with logs of error\nmessages in the system and should only be accessed by authorized\npersonnel.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_var_log_syslog",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_var_log_syslog:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_var_log_syslog_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001314",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000206-GPOS-00084",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_var_log_syslog",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001314",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000206-GPOS-00084",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Permissions on /var/log/syslog File",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_var_log_syslog",
+ "desc": "To properly set the permissions of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains logs of error messages in\nthe system and should only be accessed by authorized personnel.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Permissions on /var/log/syslog File\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/var/log/syslog\",\n \"pre\": \"$ sudo chmod 0640 /var/log/syslog\",\n \"text\": \"To properly set the permissions of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001314\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000206-GPOS-00084\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"/var/log/syslog\",\n \"text\": \"Thefile contains logs of error messages in\\nthe system and should only be accessed by authorized personnel.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"chmod u-xs,g-xws,o-xwrt /var/log/syslog\",\n \"id\": \"file_permissions_var_log_syslog\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Test for existence /var/log/syslog\\n stat:\\n path: /var/log/syslog\\n register: file_exists\\n tags:\\n - configure_strategy\\n - file_permissions_var_log_syslog\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure permission u-xs,g-xws,o-xwrt on /var/log/syslog\\n file:\\n path: /var/log/syslog\\n mode: u-xs,g-xws,o-xwrt\\n when: file_exists.stat is defined and file_exists.stat.exists\\n tags:\\n - configure_strategy\\n - file_permissions_var_log_syslog\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_var_log_syslog\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_var_log_syslog:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_var_log_syslog_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_var_log_syslog\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To properly set the permissions of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001495"
+ ],
+ "nist": [
+ "AU-9"
+ ],
+ "severity": "medium",
+ "description": "All these directories should be owned by theuser.\nIf any directoryin these directories is found\nto be owned by a user other than root, correct its ownership with the\nfollowing command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_within_important_dirs",
+ "group_title": "Verify File Permissions Within Some Important Directories",
+ "group_description": "Some directories contain files whose confidentiality or integrity\nis notably important and may also be susceptible to misconfiguration over time, particularly if\nunpackaged software is installed. As such,\nan argument exists to verify that files' permissions within these directories remain\nconfigured correctly and restrictively.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-dir_ownership_binary_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-dir_ownership_binary_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001495",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000258-GPOS-00099",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001495",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000258-GPOS-00099",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify that System Executable Have Root Ownership",
+ "id": "xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs",
+ "desc": "All these directories should be owned by theuser.\nIf any directoryin these directories is found\nto be owned by a user other than root, correct its ownership with the\nfollowing command:",
+ "descriptions": [
+ {
+ "data": "System binaries are executed by privileged users as well as system services,\nand restrictive permissions are necessary to ensure that their\nexecution of these programs cannot be co-opted.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify that System Executable Have Root Ownership\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n \"/bin\\n/sbin\\n/usr/bin\\n/usr/sbin\\n/usr/local/bin\\n/usr/local/sbin\",\n {\n \"i\": \"DIR\",\n \"text\": \"$ sudo chown root\"\n }\n ],\n \"code\": \"root\",\n \"i\": \"DIR\",\n \"text\": \"All these directories should be owned by theuser.\\nIf any directoryin these directories is found\\nto be owned by a user other than root, correct its ownership with the\\nfollowing command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001495\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000258-GPOS-00099\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"System binaries are executed by privileged users as well as system services,\\nand restrictive permissions are necessary to ensure that their\\nexecution of these programs cannot be co-opted.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"find -H /bin/ -type d -exec chown 0 {} \\\\;\\n\\nfind -H /sbin/ -type d -exec chown 0 {} \\\\;\\n\\nfind -H /usr/bin/ -type d -exec chown 0 {} \\\\;\\n\\nfind -H /usr/sbin/ -type d -exec chown 0 {} \\\\;\\n\\nfind -H /usr/local/bin/ -type d -exec chown 0 {} \\\\;\\n\\nfind -H /usr/local/sbin/ -type d -exec chown 0 {} \\\\;\",\n \"id\": \"dir_ownership_binary_dirs\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Ensure owner on directory /bin/ recursively\\n file:\\n path: /bin/\\n state: directory\\n recurse: true\\n owner: '0'\\n tags:\\n - configure_strategy\\n - dir_ownership_binary_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on directory /sbin/ recursively\\n file:\\n path: /sbin/\\n state: directory\\n recurse: true\\n owner: '0'\\n tags:\\n - configure_strategy\\n - dir_ownership_binary_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on directory /usr/bin/ recursively\\n file:\\n path: /usr/bin/\\n state: directory\\n recurse: true\\n owner: '0'\\n tags:\\n - configure_strategy\\n - dir_ownership_binary_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on directory /usr/sbin/ recursively\\n file:\\n path: /usr/sbin/\\n state: directory\\n recurse: true\\n owner: '0'\\n tags:\\n - configure_strategy\\n - dir_ownership_binary_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on directory /usr/local/bin/ recursively\\n file:\\n path: /usr/local/bin/\\n state: directory\\n recurse: true\\n owner: '0'\\n tags:\\n - configure_strategy\\n - dir_ownership_binary_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on directory /usr/local/sbin/ recursively\\n file:\\n path: /usr/local/sbin/\\n state: directory\\n recurse: true\\n owner: '0'\\n tags:\\n - configure_strategy\\n - dir_ownership_binary_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"dir_ownership_binary_dirs\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-dir_ownership_binary_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-dir_ownership_binary_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "All these directories should be owned by theuser.\nIf any directoryin these directories is found\nto be owned by a user other than root, correct its ownership with the\nfollowing command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001499"
+ ],
+ "nist": [
+ "CM-5 (6)",
+ "CM-5 (6) (1)"
+ ],
+ "severity": "medium",
+ "description": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are also\nstored in. All files in these directories should be\nowned by theuser. If the directories, is found to be owned\nby a user other than root correct its\nownership with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_within_important_dirs",
+ "group_title": "Verify File Permissions Within Some Important Directories",
+ "group_description": "Some directories contain files whose confidentiality or integrity\nis notably important and may also be susceptible to misconfiguration over time, particularly if\nunpackaged software is installed. As such,\nan argument exists to verify that files' permissions within these directories remain\nconfigured correctly and restrictively.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-dir_ownership_library_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001499",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CM-5(6)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-5(6).1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000259-GPOS-00100",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001499",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CM-5(6)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-5(6).1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000259-GPOS-00100",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify that Shared Library Directories Have Root Ownership",
+ "id": "xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs",
+ "desc": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are also\nstored in. All files in these directories should be\nowned by theuser. If the directories, is found to be owned\nby a user other than root correct its\nownership with the following command:",
+ "descriptions": [
+ {
+ "data": "Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Proper ownership of library directories is necessary to protect\nthe integrity of the system.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify that Shared Library Directories Have Root Ownership\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n \"/lib\\n/lib64\\n/usr/lib\\n/usr/lib64\",\n {\n \"i\": \"DIR\",\n \"text\": \"$ sudo chown root\"\n }\n ],\n \"code\": [\n \"/lib/modules\",\n \"root\"\n ],\n \"text\": \"System-wide shared library files, which are linked to executables\\nduring process load time or run time, are stored in the following directories\\nby default:Kernel modules, which can be added to the kernel during runtime, are also\\nstored in. All files in these directories should be\\nowned by theuser. If the directories, is found to be owned\\nby a user other than root correct its\\nownership with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001499\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CM-5(6)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-5(6).1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000259-GPOS-00100\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Files from shared library directories are loaded into the address\\nspace of processes (including privileged ones) or of the kernel itself at\\nruntime. Proper ownership of library directories is necessary to protect\\nthe integrity of the system.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"find -H /lib/ -type d -exec chown 0 {} \\\\;\\n\\nfind -H /lib64/ -type d -exec chown 0 {} \\\\;\\n\\nfind -H /usr/lib/ -type d -exec chown 0 {} \\\\;\\n\\nfind -H /usr/lib64/ -type d -exec chown 0 {} \\\\;\",\n \"id\": \"dir_ownership_library_dirs\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Ensure owner on directory /lib/ recursively\\n file:\\n path: /lib/\\n state: directory\\n recurse: true\\n owner: '0'\\n tags:\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - configure_strategy\\n - dir_ownership_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on directory /lib64/ recursively\\n file:\\n path: /lib64/\\n state: directory\\n recurse: true\\n owner: '0'\\n tags:\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - configure_strategy\\n - dir_ownership_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on directory /usr/lib/ recursively\\n file:\\n path: /usr/lib/\\n state: directory\\n recurse: true\\n owner: '0'\\n tags:\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - configure_strategy\\n - dir_ownership_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on directory /usr/lib64/ recursively\\n file:\\n path: /usr/lib64/\\n state: directory\\n recurse: true\\n owner: '0'\\n tags:\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - configure_strategy\\n - dir_ownership_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"dir_ownership_library_dirs\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-dir_ownership_library_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are also\nstored in. All files in these directories should be\nowned by theuser. If the directories, is found to be owned\nby a user other than root correct its\nownership with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001495"
+ ],
+ "nist": [
+ "AU-9"
+ ],
+ "severity": "medium",
+ "description": "System executables are stored in the following directories by default:These directories should not be group-writable or world-writable.\nIf any directoryin these directories is found to be\ngroup-writable or world-writable, correct its permission with the\nfollowing command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_within_important_dirs",
+ "group_title": "Verify File Permissions Within Some Important Directories",
+ "group_description": "Some directories contain files whose confidentiality or integrity\nis notably important and may also be susceptible to misconfiguration over time, particularly if\nunpackaged software is installed. As such,\nan argument exists to verify that files' permissions within these directories remain\nconfigured correctly and restrictively.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_dir_permissions_binary_dirs",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-dir_permissions_binary_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-dir_permissions_binary_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001495",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000258-GPOS-00099",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_dir_permissions_binary_dirs",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001495",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000258-GPOS-00099",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify that System Executable Directories Have Restrictive Permissions",
+ "id": "xccdf_org.ssgproject.content_rule_dir_permissions_binary_dirs",
+ "desc": "System executables are stored in the following directories by default:These directories should not be group-writable or world-writable.\nIf any directoryin these directories is found to be\ngroup-writable or world-writable, correct its permission with the\nfollowing command:",
+ "descriptions": [
+ {
+ "data": "System binaries are executed by privileged users, as well as system services,\nand restrictive permissions are necessary to ensure execution of these programs\ncannot be co-opted.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify that System Executable Directories Have Restrictive Permissions\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n \"/bin\\n/sbin\\n/usr/bin\\n/usr/sbin\\n/usr/local/bin\\n/usr/local/sbin\",\n {\n \"i\": \"DIR\",\n \"text\": \"$ sudo chmod go-w\"\n }\n ],\n \"i\": \"DIR\",\n \"text\": \"System executables are stored in the following directories by default:These directories should not be group-writable or world-writable.\\nIf any directoryin these directories is found to be\\ngroup-writable or world-writable, correct its permission with the\\nfollowing command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001495\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000258-GPOS-00099\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"System binaries are executed by privileged users, as well as system services,\\nand restrictive permissions are necessary to ensure execution of these programs\\ncannot be co-opted.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"find -H /bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \\\\;\\n\\nfind -H /sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \\\\;\\n\\nfind -H /usr/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \\\\;\\n\\nfind -H /usr/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \\\\;\\n\\nfind -H /usr/local/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \\\\;\\n\\nfind -H /usr/local/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \\\\;\",\n \"id\": \"dir_permissions_binary_dirs\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Set permissions for /bin/ recursively\\n file:\\n path: /bin/\\n state: directory\\n recurse: true\\n mode: u-s,g-ws,o-wt\\n tags:\\n - configure_strategy\\n - dir_permissions_binary_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for /sbin/ recursively\\n file:\\n path: /sbin/\\n state: directory\\n recurse: true\\n mode: u-s,g-ws,o-wt\\n tags:\\n - configure_strategy\\n - dir_permissions_binary_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for /usr/bin/ recursively\\n file:\\n path: /usr/bin/\\n state: directory\\n recurse: true\\n mode: u-s,g-ws,o-wt\\n tags:\\n - configure_strategy\\n - dir_permissions_binary_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for /usr/sbin/ recursively\\n file:\\n path: /usr/sbin/\\n state: directory\\n recurse: true\\n mode: u-s,g-ws,o-wt\\n tags:\\n - configure_strategy\\n - dir_permissions_binary_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for /usr/local/bin/ recursively\\n file:\\n path: /usr/local/bin/\\n state: directory\\n recurse: true\\n mode: u-s,g-ws,o-wt\\n tags:\\n - configure_strategy\\n - dir_permissions_binary_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for /usr/local/sbin/ recursively\\n file:\\n path: /usr/local/sbin/\\n state: directory\\n recurse: true\\n mode: u-s,g-ws,o-wt\\n tags:\\n - configure_strategy\\n - dir_permissions_binary_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"dir_permissions_binary_dirs\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-dir_permissions_binary_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-dir_permissions_binary_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_dir_permissions_binary_dirs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "System executables are stored in the following directories by default:These directories should not be group-writable or world-writable.\nIf any directoryin these directories is found to be\ngroup-writable or world-writable, correct its permission with the\nfollowing command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001499"
+ ],
+ "nist": [
+ "CM-5 (6)",
+ "CM-5",
+ "CM-5 (6) (1)"
+ ],
+ "severity": "medium",
+ "description": "System-wide shared library directories, which contain are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are\nstored in. All sub-directories in these directories\nshould not be group-writable or world-writable. If any file in these\ndirectories is found to be group-writable or world-writable, correct\nits permission with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_within_important_dirs",
+ "group_title": "Verify File Permissions Within Some Important Directories",
+ "group_description": "Some directories contain files whose confidentiality or integrity\nis notably important and may also be susceptible to misconfiguration over time, particularly if\nunpackaged software is installed. As such,\nan argument exists to verify that files' permissions within these directories remain\nconfigured correctly and restrictively.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-dir_permissions_library_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001499",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CIP-003-8 R6",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-5",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-5(6)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-5(6).1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000259-GPOS-00100",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001499",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CIP-003-8 R6",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-5",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-5(6)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-5(6).1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000259-GPOS-00100",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify that Shared Library Directories Have Restrictive Permissions",
+ "id": "xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs",
+ "desc": "System-wide shared library directories, which contain are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are\nstored in. All sub-directories in these directories\nshould not be group-writable or world-writable. If any file in these\ndirectories is found to be group-writable or world-writable, correct\nits permission with the following command:",
+ "descriptions": [
+ {
+ "data": "If the operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing\nand approvals that are part of a robust change management process.\n\nThis requirement applies to operating systems with software libraries that are accessible\nand configurable, as in the case of interpreted languages. Software libraries also include\nprivileged programs which execute with escalated privileges. Only qualified and authorized\nindividuals must be allowed to obtain access to information system components for purposes\nof initiating changes, including upgrades and modifications.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify that Shared Library Directories Have Restrictive Permissions\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n \"/lib\\n/lib64\\n/usr/lib\\n/usr/lib64\",\n {\n \"i\": \"DIR\",\n \"text\": \"$ sudo chmod go-w\"\n }\n ],\n \"code\": \"/lib/modules\",\n \"text\": \"System-wide shared library directories, which contain are linked to executables\\nduring process load time or run time, are stored in the following directories\\nby default:Kernel modules, which can be added to the kernel during runtime, are\\nstored in. All sub-directories in these directories\\nshould not be group-writable or world-writable. If any file in these\\ndirectories is found to be group-writable or world-writable, correct\\nits permission with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001499\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CIP-003-8 R6\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-5\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-5(6)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-5(6).1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000259-GPOS-00100\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"If the operating system were to allow any user to make changes to software libraries,\\nthen those changes might be implemented without undergoing the appropriate testing\\nand approvals that are part of a robust change management process.\\n\\nThis requirement applies to operating systems with software libraries that are accessible\\nand configurable, as in the case of interpreted languages. Software libraries also include\\nprivileged programs which execute with escalated privileges. Only qualified and authorized\\nindividuals must be allowed to obtain access to information system components for purposes\\nof initiating changes, including upgrades and modifications.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"find -H /lib/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \\\\;\\n\\nfind -H /lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \\\\;\\n\\nfind -H /usr/lib/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \\\\;\\n\\nfind -H /usr/lib64/ -perm /g+w,o+w -type d -exec chmod g-w,o-w {} \\\\;\",\n \"id\": \"dir_permissions_library_dirs\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Set permissions for /lib/ recursively\\n file:\\n path: /lib/\\n state: directory\\n recurse: true\\n mode: g-w,o-w\\n tags:\\n - NIST-800-53-CM-5\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - configure_strategy\\n - dir_permissions_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for /lib64/ recursively\\n file:\\n path: /lib64/\\n state: directory\\n recurse: true\\n mode: g-w,o-w\\n tags:\\n - NIST-800-53-CM-5\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - configure_strategy\\n - dir_permissions_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for /usr/lib/ recursively\\n file:\\n path: /usr/lib/\\n state: directory\\n recurse: true\\n mode: g-w,o-w\\n tags:\\n - NIST-800-53-CM-5\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - configure_strategy\\n - dir_permissions_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for /usr/lib64/ recursively\\n file:\\n path: /usr/lib64/\\n state: directory\\n recurse: true\\n mode: g-w,o-w\\n tags:\\n - NIST-800-53-CM-5\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - configure_strategy\\n - dir_permissions_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"dir_permissions_library_dirs\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-dir_permissions_library_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "System-wide shared library directories, which contain are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are\nstored in. All sub-directories in these directories\nshould not be group-writable or world-writable. If any file in these\ndirectories is found to be group-writable or world-writable, correct\nits permission with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001499"
+ ],
+ "nist": [
+ "CM-5 (6)",
+ "CM-5 (6) (1)",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "System executables are stored in the following directories by default:All files in these directories should be owned by theuser.\nIf any filein these directories is found\nto be owned by a user other than root, correct its ownership with the\nfollowing command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_within_important_dirs",
+ "group_title": "Verify File Permissions Within Some Important Directories",
+ "group_description": "Some directories contain files whose confidentiality or integrity\nis notably important and may also be susceptible to misconfiguration over time, particularly if\nunpackaged software is installed. As such,\nan argument exists to verify that files' permissions within these directories remain\nconfigured correctly and restrictively.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_ownership_binary_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_ownership_binary_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001499",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-5(6)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-5(6).1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000259-GPOS-00100",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001499",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-5(6)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-5(6).1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000259-GPOS-00100",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify that System Executables Have Root Ownership",
+ "id": "xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs",
+ "desc": "System executables are stored in the following directories by default:All files in these directories should be owned by theuser.\nIf any filein these directories is found\nto be owned by a user other than root, correct its ownership with the\nfollowing command:",
+ "descriptions": [
+ {
+ "data": "System binaries are executed by privileged users as well as system services,\nand restrictive permissions are necessary to ensure that their\nexecution of these programs cannot be co-opted.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify that System Executables Have Root Ownership\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n \"/bin\\n/sbin\\n/usr/bin\\n/usr/libexec\\n/usr/local/bin\\n/usr/local/sbin\\n/usr/sbin\",\n {\n \"i\": \"FILE\",\n \"text\": \"$ sudo chown root\"\n }\n ],\n \"code\": \"root\",\n \"i\": \"FILE\",\n \"text\": \"System executables are stored in the following directories by default:All files in these directories should be owned by theuser.\\nIf any filein these directories is found\\nto be owned by a user other than root, correct its ownership with the\\nfollowing command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001499\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-5(6)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-5(6).1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000259-GPOS-00100\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"System binaries are executed by privileged users as well as system services,\\nand restrictive permissions are necessary to ensure that their\\nexecution of these programs cannot be co-opted.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_ownership_binary_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_ownership_binary_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "System executables are stored in the following directories by default:All files in these directories should be owned by theuser.\nIf any filein these directories is found\nto be owned by a user other than root, correct its ownership with the\nfollowing command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001499"
+ ],
+ "nist": [
+ "CM-5 (6)",
+ "CM-5 (6) (1)",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are also\nstored in. All files in these directories should be\nowned by theuser. If the directory, or any file in these\ndirectories, is found to be owned by a user other than root correct its\nownership with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_within_important_dirs",
+ "group_title": "Verify File Permissions Within Some Important Directories",
+ "group_description": "Some directories contain files whose confidentiality or integrity\nis notably important and may also be susceptible to misconfiguration over time, particularly if\nunpackaged software is installed. As such,\nan argument exists to verify that files' permissions within these directories remain\nconfigured correctly and restrictively.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_ownership_library_dirs",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_ownership_library_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_ownership_library_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001499",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-5(6)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-5(6).1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000259-GPOS-00100",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_ownership_library_dirs",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001499",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-5(6)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-5(6).1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000259-GPOS-00100",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify that Shared Library Files Have Root Ownership",
+ "id": "xccdf_org.ssgproject.content_rule_file_ownership_library_dirs",
+ "desc": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are also\nstored in. All files in these directories should be\nowned by theuser. If the directory, or any file in these\ndirectories, is found to be owned by a user other than root correct its\nownership with the following command:",
+ "descriptions": [
+ {
+ "data": "Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Proper ownership is necessary to protect the integrity of the system.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify that Shared Library Files Have Root Ownership\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n \"/lib\\n/lib64\\n/usr/lib\\n/usr/lib64\",\n {\n \"i\": \"FILE\",\n \"text\": \"$ sudo chown root\"\n }\n ],\n \"code\": [\n \"/lib/modules\",\n \"root\"\n ],\n \"text\": \"System-wide shared library files, which are linked to executables\\nduring process load time or run time, are stored in the following directories\\nby default:Kernel modules, which can be added to the kernel during runtime, are also\\nstored in. All files in these directories should be\\nowned by theuser. If the directory, or any file in these\\ndirectories, is found to be owned by a user other than root correct its\\nownership with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001499\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-5(6)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-5(6).1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000259-GPOS-00100\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Files from shared library directories are loaded into the address\\nspace of processes (including privileged ones) or of the kernel itself at\\nruntime. Proper ownership is necessary to protect the integrity of the system.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"find /lib/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \\\\;\\n\\nfind /lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \\\\;\\n\\nfind /usr/lib/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \\\\;\\n\\nfind /usr/lib64/ -type f ! -uid 0 -regex '^.*$' -exec chown 0 {} \\\\;\",\n \"id\": \"file_ownership_library_dirs\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Find /lib/ file(s) matching ^.*$ recursively\\n command: find -H /lib/ -type f ! -uid 0 -regex \\\"^.*$\\\"\\n register: files_found\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_ownership_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on /lib/ file(s) matching ^.*$\\n file:\\n path: '{{ item }}'\\n owner: '0'\\n state: file\\n with_items:\\n - '{{ files_found.stdout_lines }}'\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_ownership_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Find /lib64/ file(s) matching ^.*$ recursively\\n command: find -H /lib64/ -type f ! -uid 0 -regex \\\"^.*$\\\"\\n register: files_found\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_ownership_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on /lib64/ file(s) matching ^.*$\\n file:\\n path: '{{ item }}'\\n owner: '0'\\n state: file\\n with_items:\\n - '{{ files_found.stdout_lines }}'\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_ownership_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Find /usr/lib/ file(s) matching ^.*$ recursively\\n command: find -H /usr/lib/ -type f ! -uid 0 -regex \\\"^.*$\\\"\\n register: files_found\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_ownership_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on /usr/lib/ file(s) matching ^.*$\\n file:\\n path: '{{ item }}'\\n owner: '0'\\n state: file\\n with_items:\\n - '{{ files_found.stdout_lines }}'\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_ownership_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Find /usr/lib64/ file(s) matching ^.*$ recursively\\n command: find -H /usr/lib64/ -type f ! -uid 0 -regex \\\"^.*$\\\"\\n register: files_found\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_ownership_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Ensure owner on /usr/lib64/ file(s) matching ^.*$\\n file:\\n path: '{{ item }}'\\n owner: '0'\\n state: file\\n with_items:\\n - '{{ files_found.stdout_lines }}'\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_ownership_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_ownership_library_dirs\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_ownership_library_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_ownership_library_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_ownership_library_dirs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are also\nstored in. All files in these directories should be\nowned by theuser. If the directory, or any file in these\ndirectories, is found to be owned by a user other than root correct its\nownership with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001499"
+ ],
+ "nist": [
+ "CM-5 (6)",
+ "CM-5 (6) (1)",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "System executables are stored in the following directories by default:All files in these directories should not be group-writable or world-writable.\nIf any filein these directories is found\nto be group-writable or world-writable, correct its permission with the\nfollowing command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_within_important_dirs",
+ "group_title": "Verify File Permissions Within Some Important Directories",
+ "group_description": "Some directories contain files whose confidentiality or integrity\nis notably important and may also be susceptible to misconfiguration over time, particularly if\nunpackaged software is installed. As such,\nan argument exists to verify that files' permissions within these directories remain\nconfigured correctly and restrictively.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_binary_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "file_permissions_binary_dirs",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001499",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-5(6)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-5(6).1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000259-GPOS-00100",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001499",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-5(6)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-5(6).1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000259-GPOS-00100",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify that System Executables Have Restrictive Permissions",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs",
+ "desc": "System executables are stored in the following directories by default:All files in these directories should not be group-writable or world-writable.\nIf any filein these directories is found\nto be group-writable or world-writable, correct its permission with the\nfollowing command:",
+ "descriptions": [
+ {
+ "data": "DIRS=\"/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec\"\nfor dirPath in $DIRS; do\n\tfind \"$dirPath\" -perm /022 -exec chmod go-w '{}' \\;\ndone",
+ "label": "fix"
+ },
+ {
+ "data": "System binaries are executed by privileged users, as well as system services,\nand restrictive permissions are necessary to ensure execution of these programs\ncannot be co-opted.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify that System Executables Have Restrictive Permissions\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n \"/bin\\n/sbin\\n/usr/bin\\n/usr/libexec\\n/usr/local/bin\\n/usr/local/sbin\\n/usr/sbin\",\n {\n \"i\": \"FILE\",\n \"text\": \"$ sudo chmod go-w\"\n }\n ],\n \"i\": \"FILE\",\n \"text\": \"System executables are stored in the following directories by default:All files in these directories should not be group-writable or world-writable.\\nIf any filein these directories is found\\nto be group-writable or world-writable, correct its permission with the\\nfollowing command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001499\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-5(6)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-5(6).1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000259-GPOS-00100\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"System binaries are executed by privileged users, as well as system services,\\nand restrictive permissions are necessary to ensure execution of these programs\\ncannot be co-opted.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"DIRS=\\\"/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec\\\"\\nfor dirPath in $DIRS; do\\n\\tfind \\\"$dirPath\\\" -perm /022 -exec chmod go-w '{}' \\\\;\\ndone\",\n \"id\": \"file_permissions_binary_dirs\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_binary_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "System executables are stored in the following directories by default:All files in these directories should not be group-writable or world-writable.\nIf any filein these directories is found\nto be group-writable or world-writable, correct its permission with the\nfollowing command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001499"
+ ],
+ "nist": [
+ "CM-5 (6)",
+ "CM-6 a.",
+ "CM-5 (6) (1)",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are\nstored in. All files in these directories\nshould not be group-writable or world-writable. If any file in these\ndirectories is found to be group-writable or world-writable, correct\nits permission with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_permissions_within_important_dirs",
+ "group_title": "Verify File Permissions Within Some Important Directories",
+ "group_description": "Some directories contain files whose confidentiality or integrity\nis notably important and may also be susceptible to misconfiguration over time, particularly if\nunpackaged software is installed. As such,\nan argument exists to verify that files' permissions within these directories remain\nconfigured correctly and restrictively.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_library_dirs",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_library_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_library_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001499",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-5(6)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-5(6).1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000259-GPOS-00100",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_library_dirs",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001499",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-5(6)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-5(6).1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000259-GPOS-00100",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify that Shared Library Files Have Restrictive Permissions",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_library_dirs",
+ "desc": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are\nstored in. All files in these directories\nshould not be group-writable or world-writable. If any file in these\ndirectories is found to be group-writable or world-writable, correct\nits permission with the following command:",
+ "descriptions": [
+ {
+ "data": "Files from shared library directories are loaded into the address\nspace of processes (including privileged ones) or of the kernel itself at\nruntime. Restrictive permissions are necessary to protect the integrity of the system.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify that Shared Library Files Have Restrictive Permissions\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n \"/lib\\n/lib64\\n/usr/lib\\n/usr/lib64\",\n {\n \"i\": \"FILE\",\n \"text\": \"$ sudo chmod go-w\"\n }\n ],\n \"code\": \"/lib/modules\",\n \"text\": \"System-wide shared library files, which are linked to executables\\nduring process load time or run time, are stored in the following directories\\nby default:Kernel modules, which can be added to the kernel during runtime, are\\nstored in. All files in these directories\\nshould not be group-writable or world-writable. If any file in these\\ndirectories is found to be group-writable or world-writable, correct\\nits permission with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001499\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-5(6)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-5(6).1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000259-GPOS-00100\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Files from shared library directories are loaded into the address\\nspace of processes (including privileged ones) or of the kernel itself at\\nruntime. Restrictive permissions are necessary to protect the integrity of the system.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"find -H /lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \\\\;\\n\\nfind -H /lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \\\\;\\n\\nfind -H /usr/lib/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \\\\;\\n\\nfind -H /usr/lib64/ -perm /g+w,o+w -type f -regex '^.*$' -exec chmod g-w,o-w {} \\\\;\",\n \"id\": \"file_permissions_library_dirs\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Find /lib/ file(s) recursively\\n command: find -H /lib/ -perm /g+w,o+w -type f -regex \\\"^.*$\\\"\\n register: files_found\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_permissions_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for /lib/ file(s)\\n file:\\n path: '{{ item }}'\\n mode: g-w,o-w\\n state: file\\n with_items:\\n - '{{ files_found.stdout_lines }}'\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_permissions_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Find /lib64/ file(s) recursively\\n command: find -H /lib64/ -perm /g+w,o+w -type f -regex \\\"^.*$\\\"\\n register: files_found\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_permissions_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for /lib64/ file(s)\\n file:\\n path: '{{ item }}'\\n mode: g-w,o-w\\n state: file\\n with_items:\\n - '{{ files_found.stdout_lines }}'\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_permissions_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Find /usr/lib/ file(s) recursively\\n command: find -H /usr/lib/ -perm /g+w,o+w -type f -regex \\\"^.*$\\\"\\n register: files_found\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_permissions_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for /usr/lib/ file(s)\\n file:\\n path: '{{ item }}'\\n mode: g-w,o-w\\n state: file\\n with_items:\\n - '{{ files_found.stdout_lines }}'\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_permissions_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Find /usr/lib64/ file(s) recursively\\n command: find -H /usr/lib64/ -perm /g+w,o+w -type f -regex \\\"^.*$\\\"\\n register: files_found\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_permissions_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for /usr/lib64/ file(s)\\n file:\\n path: '{{ item }}'\\n mode: g-w,o-w\\n state: file\\n with_items:\\n - '{{ files_found.stdout_lines }}'\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-5(6)\\n - NIST-800-53-CM-5(6).1\\n - NIST-800-53-CM-6(a)\\n - configure_strategy\\n - file_permissions_library_dirs\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_library_dirs\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_library_dirs:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_library_dirs_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_library_dirs\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "System-wide shared library files, which are linked to executables\nduring process load time or run time, are stored in the following directories\nby default:Kernel modules, which can be added to the kernel during runtime, are\nstored in. All files in these directories\nshould not be group-writable or world-writable. If any file in these\ndirectories is found to be group-writable or world-writable, correct\nits permission with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001090"
+ ],
+ "nist": [
+ "SC-4",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "When the so-called 'sticky bit' is set on a directory,\nonly the owner of a given file may remove that file from the\ndirectory. Without the sticky bit, any user with write access to a\ndirectory may remove any file in the directory. Setting the sticky\nbit prevents users from removing each other's files. In cases where\nthere is no reason for a directory to be world-writable, a better\nsolution is to remove that permission rather than to set the sticky\nbit. However, if a directory is used by a particular application,\nconsult that application's documentation instead of blindly\nchanging modes.To set the sticky bit on a world-writable directory, run the\nfollowing command:",
+ "group_id": "xccdf_org.ssgproject.content_group_files",
+ "group_title": "Verify Permissions on Important Files and\nDirectories",
+ "group_description": "Permissions for many files on a system must be set\nrestrictively to ensure sensitive information is properly protected.\nThis section discusses important\npermission restrictions which can be verified\nto ensure that no harmful discrepancies have\narisen.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-dir_perms_world_writable_sticky_bits:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "dir_perms_world_writable_sticky_bits",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R40)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001090",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000138-GPOS-00069",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.20",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-dir_perms_world_writable_sticky_bits:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R40)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001090",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000138-GPOS-00069",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.20",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify that All World-Writable Directories Have Sticky Bits Set",
+ "id": "xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits",
+ "desc": "When the so-called 'sticky bit' is set on a directory,\nonly the owner of a given file may remove that file from the\ndirectory. Without the sticky bit, any user with write access to a\ndirectory may remove any file in the directory. Setting the sticky\nbit prevents users from removing each other's files. In cases where\nthere is no reason for a directory to be world-writable, a better\nsolution is to remove that permission rather than to set the sticky\nbit. However, if a directory is used by a particular application,\nconsult that application's documentation instead of blindly\nchanging modes.To set the sticky bit on a world-writable directory, run the\nfollowing command:",
+ "descriptions": [
+ {
+ "data": "df --local -P | awk '{if (NR!=1) print $6}' \\\n| xargs -I '$6' find '$6' -xdev -type d \\\n\\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null \\\n-exec chmod a+t {} +",
+ "label": "fix"
+ },
+ {
+ "data": "Failing to set the sticky bit on public directories allows unauthorized\nusers to delete files in the directory structure.The only authorized public directories are those temporary directories\nsupplied with the system, or those designed to be temporary file\nrepositories. The setting is normally reserved for directories used by the\nsystem, by users for temporary file storage (such as), and\nfor directories requiring global read/write access.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify that All World-Writable Directories Have Sticky Bits Set\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": \"\",\n \"i\": \"DIR\",\n \"pre\": {\n \"i\": \"DIR\",\n \"text\": \"$ sudo chmod +t\"\n },\n \"text\": \"When the so-called 'sticky bit' is set on a directory,\\nonly the owner of a given file may remove that file from the\\ndirectory. Without the sticky bit, any user with write access to a\\ndirectory may remove any file in the directory. Setting the sticky\\nbit prevents users from removing each other's files. In cases where\\nthere is no reason for a directory to be world-writable, a better\\nsolution is to remove that permission rather than to set the sticky\\nbit. However, if a directory is used by a particular application,\\nconsult that application's documentation instead of blindly\\nchanging modes.To set the sticky bit on a world-writable directory, run the\\nfollowing command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R40)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001090\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000138-GPOS-00069\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.20\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"code\": \"/tmp\",\n \"text\": \"Failing to set the sticky bit on public directories allows unauthorized\\nusers to delete files in the directory structure.The only authorized public directories are those temporary directories\\nsupplied with the system, or those designed to be temporary file\\nrepositories. The setting is normally reserved for directories used by the\\nsystem, by users for temporary file storage (such as), and\\nfor directories requiring global read/write access.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"df --local -P | awk '{if (NR!=1) print $6}' \\\\\\n| xargs -I '$6' find '$6' -xdev -type d \\\\\\n\\\\( -perm -0002 -a ! -perm -1000 \\\\) 2>/dev/null \\\\\\n-exec chmod a+t {} +\",\n \"id\": \"dir_perms_world_writable_sticky_bits\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-dir_perms_world_writable_sticky_bits:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "When the so-called 'sticky bit' is set on a directory,\nonly the owner of a given file may remove that file from the\ndirectory. Without the sticky bit, any user with write access to a\ndirectory may remove any file in the directory. Setting the sticky\nbit prevents users from removing each other's files. In cases where\nthere is no reason for a directory to be world-writable, a better\nsolution is to remove that permission rather than to set the sticky\nbit. However, if a directory is used by a particular application,\nconsult that application's documentation instead of blindly\nchanging modes.To set the sticky bit on a world-writable directory, run the\nfollowing command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "unknown",
+ "description": "Files containing sensitive informations should be protected by restrictive\n permissions. Most of the time, there is no need that these files need to be read by any non-root user\n\nTo properly set the permissions of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_files",
+ "group_title": "Verify Permissions on Important Files and\nDirectories",
+ "group_description": "Permissions for many files on a system must be set\nrestrictively to ensure sensitive information is properly protected.\nThis section discusses important\npermission restrictions which can be verified\nto ensure that no harmful discrepancies have\narisen.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_systemmap",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_systemmap:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_systemmap_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "BP28(R13)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_systemmap",
+ "role": "full",
+ "time": "2023-03-20T12:28:11-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/",
+ "ref": [
+ {
+ "text": "BP28(R13)"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Verify that local System.map file (if exists) is readable only by root",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_systemmap",
+ "desc": "Files containing sensitive informations should be protected by restrictive\n permissions. Most of the time, there is no need that these files need to be read by any non-root user\n\nTo properly set the permissions of, run the command:",
+ "descriptions": [
+ {
+ "data": "Thefile contains information about kernel symbols and\n can give some hints to generate local exploitation.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Verify that local System.map file (if exists) is readable only by root\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/boot/System.map-*\",\n \"pre\": \"$ sudo chmod 0600 /boot/System.map-*\",\n \"text\": \"Files containing sensitive informations should be protected by restrictive\\n permissions. Most of the time, there is no need that these files need to be read by any non-root user\\n\\nTo properly set the permissions of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": {\n \"text\": \"BP28(R13)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n \"rationale\": {\n \"code\": \"System.map\",\n \"text\": \"Thefile contains information about kernel symbols and\\n can give some hints to generate local exploitation.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_systemmap:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_systemmap_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_systemmap\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Files containing sensitive informations should be protected by restrictive\n permissions. Most of the time, there is no need that these files need to be read by any non-root user\n\nTo properly set the permissions of, run the command:",
+ "start_time": "2023-03-20T12:28:11-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "It is generally a good idea to remove global (other) write\naccess to a file when it is discovered. However, check with\ndocumentation for specific applications before making changes.\nAlso, monitor for recurring world-writable files, as these may be\nsymptoms of a misconfigured application or user account. Finally,\nthis applies to real files and not virtual files that are a part of\npseudo file systems such asor.",
+ "group_id": "xccdf_org.ssgproject.content_group_files",
+ "group_title": "Verify Permissions on Important Files and\nDirectories",
+ "group_description": "Permissions for many files on a system must be set\nrestrictively to ensure sensitive information is properly protected.\nThis section discusses important\npermission restrictions which can be verified\nto ensure that no harmful discrepancies have\narisen.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_unauthorized_world_writable:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_unauthorized_world_writable_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "file_permissions_unauthorized_world_writable",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R40)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "pass",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-file_permissions_unauthorized_world_writable:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R40)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure No World-Writable Files Exist",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable",
+ "desc": "It is generally a good idea to remove global (other) write\naccess to a file when it is discovered. However, check with\ndocumentation for specific applications before making changes.\nAlso, monitor for recurring world-writable files, as these may be\nsymptoms of a misconfigured application or user account. Finally,\nthis applies to real files and not virtual files that are a part of\npseudo file systems such asor.",
+ "descriptions": [
+ {
+ "data": "find / -xdev -type f -perm -002 -exec chmod o-w {} \\;",
+ "label": "fix"
+ },
+ {
+ "data": "Data in world-writable files can be modified by any\nuser on the system. In almost all circumstances, files can be\nconfigured using a combination of user and group permissions to\nsupport whatever legitimate access is needed without the risk\ncaused by world-writable files.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure No World-Writable Files Exist\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"sysfs\",\n \"procfs\"\n ],\n \"text\": \"It is generally a good idea to remove global (other) write\\naccess to a file when it is discovered. However, check with\\ndocumentation for specific applications before making changes.\\nAlso, monitor for recurring world-writable files, as these may be\\nsymptoms of a misconfigured application or user account. Finally,\\nthis applies to real files and not virtual files that are a part of\\npseudo file systems such asor.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R40)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Data in world-writable files can be modified by any\\nuser on the system. In almost all circumstances, files can be\\nconfigured using a combination of user and group permissions to\\nsupport whatever legitimate access is needed without the risk\\ncaused by world-writable files.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"find / -xdev -type f -perm -002 -exec chmod o-w {} \\\\;\",\n \"id\": \"file_permissions_unauthorized_world_writable\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_unauthorized_world_writable:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_unauthorized_world_writable_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "passed",
+ "code_desc": "It is generally a good idea to remove global (other) write\naccess to a file when it is discovered. However, check with\ndocumentation for specific applications before making changes.\nAlso, monitor for recurring world-writable files, as these may be\nsymptoms of a misconfigured application or user account. Finally,\nthis applies to real files and not virtual files that are a part of\npseudo file systems such asor.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002165"
+ ],
+ "nist": [
+ "AC-3 (4)",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "group_id": "xccdf_org.ssgproject.content_group_files",
+ "group_title": "Verify Permissions on Important Files and\nDirectories",
+ "group_description": "Permissions for many files on a system must be set\nrestrictively to ensure sensitive information is properly protected.\nThis section discusses important\npermission restrictions which can be verified\nto ensure that no harmful discrepancies have\narisen.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_fs_protected_hardlinks:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_fs_protected_hardlinks_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R23)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "CCI-002165",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000312-GPOS-00122",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000312-GPOS-00123",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000324-GPOS-00125",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R23)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "CCI-002165",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000312-GPOS-00122",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000312-GPOS-00123",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000324-GPOS-00125",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable Kernel Parameter to Enforce DAC on Hardlinks",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks",
+ "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "descriptions": [
+ {
+ "data": "By enabling this kernel parameter, users can no longer create soft or hard links to\nfiles which they do not own. Disallowing such hardlinks mitigate vulnerabilities\nbased on insecure file system accessed by privileged programs, avoiding an\nexploitation vector exploiting unsafe use ofor.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable Kernel Parameter to Enforce DAC on Hardlinks\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"fs.protected_hardlinks\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": [\n \"$ sudo sysctl -w fs.protected_hardlinks=1\",\n \"fs.protected_hardlinks = 1\"\n ],\n \"text\": \"To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R23)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"CCI-002165\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000312-GPOS-00122\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000312-GPOS-00123\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000324-GPOS-00125\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"open()\",\n \"creat()\"\n ],\n \"text\": \"By enabling this kernel parameter, users can no longer create soft or hard links to\\nfiles which they do not own. Disallowing such hardlinks mitigate vulnerabilities\\nbased on insecure file system accessed by privileged programs, avoiding an\\nexploitation vector exploiting unsafe use ofor.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of fs.protected_hardlinks from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*fs.protected_hardlinks.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"fs.protected_hardlinks\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\n\\n#\\n# Set runtime for fs.protected_hardlinks\\n#\\n/sbin/sysctl -q -n -w fs.protected_hardlinks=\\\"1\\\"\\n\\n#\\n# If fs.protected_hardlinks present in /etc/sysctl.conf, change value to \\\"1\\\"\\n#\\telse, add \\\"fs.protected_hardlinks = 1\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^fs.protected_hardlinks\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"1\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^fs.protected_hardlinks\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^fs.protected_hardlinks\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_fs_protected_hardlinks\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*fs.protected_hardlinks.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_fs_protected_hardlinks\\n\\n- name: Comment out any occurrences of fs.protected_hardlinks from config files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*fs.protected_hardlinks\\n replace: '#fs.protected_hardlinks'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_fs_protected_hardlinks\\n\\n- name: Ensure sysctl fs.protected_hardlinks is set to 1\\n sysctl:\\n name: fs.protected_hardlinks\\n value: '1'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_fs_protected_hardlinks\",\n \"id\": \"sysctl_fs_protected_hardlinks\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_fs_protected_hardlinks:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_fs_protected_hardlinks_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002165"
+ ],
+ "nist": [
+ "AC-3 (4)",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "group_id": "xccdf_org.ssgproject.content_group_files",
+ "group_title": "Verify Permissions on Important Files and\nDirectories",
+ "group_description": "Permissions for many files on a system must be set\nrestrictively to ensure sensitive information is properly protected.\nThis section discusses important\npermission restrictions which can be verified\nto ensure that no harmful discrepancies have\narisen.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_fs_protected_symlinks:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_fs_protected_symlinks_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R23)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "CCI-002165",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000312-GPOS-00122",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000312-GPOS-00123",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000324-GPOS-00125",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R23)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "CCI-002165",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000312-GPOS-00122",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000312-GPOS-00123",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000324-GPOS-00125",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable Kernel Parameter to Enforce DAC on Symlinks",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks",
+ "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "descriptions": [
+ {
+ "data": "By enabling this kernel parameter, symbolic links are permitted to be followed\nonly when outside a sticky world-writable directory, or when the UID of the\nlink and follower match, or when the directory owner matches the symlink's owner.\nDisallowing such symlinks helps mitigate vulnerabilities based on insecure file system\naccessed by privileged programs, avoiding an exploitation vector exploiting unsafe use ofor.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable Kernel Parameter to Enforce DAC on Symlinks\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"fs.protected_symlinks\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": [\n \"$ sudo sysctl -w fs.protected_symlinks=1\",\n \"fs.protected_symlinks = 1\"\n ],\n \"text\": \"To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R23)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"CCI-002165\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000312-GPOS-00122\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000312-GPOS-00123\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000324-GPOS-00125\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"open()\",\n \"creat()\"\n ],\n \"text\": \"By enabling this kernel parameter, symbolic links are permitted to be followed\\nonly when outside a sticky world-writable directory, or when the UID of the\\nlink and follower match, or when the directory owner matches the symlink's owner.\\nDisallowing such symlinks helps mitigate vulnerabilities based on insecure file system\\naccessed by privileged programs, avoiding an exploitation vector exploiting unsafe use ofor.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of fs.protected_symlinks from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*fs.protected_symlinks.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"fs.protected_symlinks\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\n\\n#\\n# Set runtime for fs.protected_symlinks\\n#\\n/sbin/sysctl -q -n -w fs.protected_symlinks=\\\"1\\\"\\n\\n#\\n# If fs.protected_symlinks present in /etc/sysctl.conf, change value to \\\"1\\\"\\n#\\telse, add \\\"fs.protected_symlinks = 1\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^fs.protected_symlinks\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"1\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^fs.protected_symlinks\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^fs.protected_symlinks\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_fs_protected_symlinks\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*fs.protected_symlinks.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_fs_protected_symlinks\\n\\n- name: Comment out any occurrences of fs.protected_symlinks from config files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*fs.protected_symlinks\\n replace: '#fs.protected_symlinks'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_fs_protected_symlinks\\n\\n- name: Ensure sysctl fs.protected_symlinks is set to 1\\n sysctl:\\n name: fs.protected_symlinks\\n value: '1'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_fs_protected_symlinks\",\n \"id\": \"sysctl_fs_protected_symlinks\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_fs_protected_symlinks:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_fs_protected_symlinks_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366",
+ "CCI-000778",
+ "CCI-001958"
+ ],
+ "nist": [
+ "CM-6 b",
+ "IA-3",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a.",
+ "MP-7"
+ ],
+ "severity": "medium",
+ "description": "Thedaemon mounts and unmounts filesystems, such as user\nhome directories shared via NFS, on demand. In addition, autofs can be used to handle\nremovable media, and the default configuration provides the cdrom device as.\nHowever, this method of providing access to removable media is not common, so autofs\ncan almost always be disabled if NFS is not in use. Even if NFS is required, it may be\npossible to configure filesystem mounts statically by editingrather than relying on the automounter.Theservice can be disabled with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_mounting",
+ "group_title": "Restrict Dynamic Mounting and Unmounting of\nFilesystems",
+ "group_description": "Linux includes a number of facilities for the automated addition\nand removal of filesystems on a running system. These facilities may be\nnecessary in many environments, but this capability also carries some risk -- whether direct\nrisk from allowing users to introduce arbitrary filesystems,\nor risk that software flaws in the automated mount facility itself could\nallow an attacker to compromise the system.This command can be used to list the types of filesystems that are\navailable to the currently executing kernel:If these filesystems are not required then they can be explicitly disabled\nin a configuratio file in.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_autofs_disabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_autofs_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_autofs_disabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.4.6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000778",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001958",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(3)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)(ii)(A)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(d)(2)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)(2)(iv)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "MP-7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000114-GPOS-00059",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000378-GPOS-00163",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.21",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_autofs_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.4.6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000778",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001958",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(3)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)(ii)(A)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(d)(2)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)(2)(iv)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "MP-7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000114-GPOS-00059",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000378-GPOS-00163",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.21",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable the Automounter",
+ "id": "xccdf_org.ssgproject.content_rule_service_autofs_disabled",
+ "desc": "Thedaemon mounts and unmounts filesystems, such as user\nhome directories shared via NFS, on demand. In addition, autofs can be used to handle\nremovable media, and the default configuration provides the cdrom device as.\nHowever, this method of providing access to removable media is not common, so autofs\ncan almost always be disabled if NFS is not in use. Even if NFS is required, it may be\npossible to configure filesystem mounts statically by editingrather than relying on the automounter.Theservice can be disabled with the following command:",
+ "descriptions": [
+ {
+ "data": "Disabling the automounter permits the administrator to\nstatically control filesystem mounting through.Additionally, automatically mounting filesystems permits easy introduction of\nunknown devices, thereby facilitating malicious activity.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable the Automounter\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"autofs\",\n \"/misc/cd\",\n \"/etc/fstab\",\n \"autofs\"\n ],\n \"br\": [\n \"\",\n \"\"\n ],\n \"pre\": \"$ sudo systemctl mask --now autofs.service\",\n \"text\": \"Thedaemon mounts and unmounts filesystems, such as user\\nhome directories shared via NFS, on demand. In addition, autofs can be used to handle\\nremovable media, and the default configuration provides the cdrom device as.\\nHowever, this method of providing access to removable media is not common, so autofs\\ncan almost always be disabled if NFS is not in use. Even if NFS is required, it may be\\npossible to configure filesystem mounts statically by editingrather than relying on the automounter.Theservice can be disabled with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.4.6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000778\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001958\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(3)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)(ii)(A)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(d)(2)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)(2)(iv)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"MP-7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000114-GPOS-00059\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000378-GPOS-00163\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.21\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": \"/etc/fstab\",\n \"br\": [\n \"\",\n \"\"\n ],\n \"text\": \"Disabling the automounter permits the administrator to\\nstatically control filesystem mounting through.Additionally, automatically mounting filesystems permits easy introduction of\\nunknown devices, thereby facilitating malicious activity.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" stop 'autofs.service'\\n\\\"$SYSTEMCTL_EXEC\\\" disable 'autofs.service'\\n\\\"$SYSTEMCTL_EXEC\\\" mask 'autofs.service'\\n# Disable socket activation if we have a unit file for it\\nif \\\"$SYSTEMCTL_EXEC\\\" -q list-unit-files autofs.socket; then\\n \\\"$SYSTEMCTL_EXEC\\\" stop 'autofs.socket'\\n \\\"$SYSTEMCTL_EXEC\\\" mask 'autofs.socket'\\nfi\\n# The service may not be running because it has been started and failed,\\n# so let's reset the state so OVAL checks pass.\\n# Service should be 'inactive', not 'failed' after reboot though.\\n\\\"$SYSTEMCTL_EXEC\\\" reset-failed 'autofs.service' || true\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_autofs_disabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Disable service autofs\\n block:\\n\\n - name: Disable service autofs\\n systemd:\\n name: autofs.service\\n enabled: 'no'\\n state: stopped\\n masked: 'yes'\\n ignore_errors: 'yes'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.4.6\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - disable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_autofs_disabled\\n\\n- name: Unit Socket Exists - autofs.socket\\n command: systemctl list-unit-files autofs.socket\\n register: socket_file_exists\\n changed_when: false\\n ignore_errors: true\\n check_mode: false\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.4.6\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - disable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_autofs_disabled\\n\\n- name: Disable socket autofs\\n systemd:\\n name: autofs.socket\\n enabled: 'no'\\n state: stopped\\n masked: 'yes'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - '\\\"autofs.socket\\\" in socket_file_exists.stdout_lines[1]'\\n tags:\\n - NIST-800-171-3.4.6\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - disable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_autofs_disabled\",\n \"id\": \"service_autofs_disabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"include disable_autofs\\n\\nclass disable_autofs {\\n service {'autofs':\\n enable => false,\\n ensure => 'stopped',\\n }\\n}\",\n \"id\": \"service_autofs_disabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[customizations.services]\\ndisabled = [\\\"autofs\\\"]\",\n \"id\": \"service_autofs_disabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_autofs_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_autofs_disabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_service_autofs_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Thedaemon mounts and unmounts filesystems, such as user\nhome directories shared via NFS, on demand. In addition, autofs can be used to handle\nremovable media, and the default configuration provides the cdrom device as.\nHowever, this method of providing access to removable media is not common, so autofs\ncan almost always be disabled if NFS is not in use. Even if NFS is required, it may be\npossible to configure filesystem mounts statically by editingrather than relying on the automounter.Theservice can be disabled with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000381"
+ ],
+ "nist": [
+ "CM-7 a",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "low",
+ "description": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.\n\nThefilesystem type is a compressed read-only\nLinux filesystem embedded in small footprint systems. Aimage can be used without having to first\ndecompress the image.",
+ "group_id": "xccdf_org.ssgproject.content_group_mounting",
+ "group_title": "Restrict Dynamic Mounting and Unmounting of\nFilesystems",
+ "group_description": "Linux includes a number of facilities for the automated addition\nand removal of filesystems on a running system. These facilities may be\nnecessary in many environments, but this capability also carries some risk -- whether direct\nrisk from allowing users to introduce arbitrary filesystems,\nor risk that software flaws in the automated mount facility itself could\nallow an attacker to compromise the system.This command can be used to list the types of filesystems that are\navailable to the currently executing kernel:If these filesystems are not required then they can be explicitly disabled\nin a configuratio file in.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_cramfs_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_module_cramfs_disabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.4.6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000381",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000095-GPOS-00049",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.1.1",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.4.6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000381",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000095-GPOS-00049",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.1.1",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable Mounting of cramfs",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled",
+ "desc": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.\n\nThefilesystem type is a compressed read-only\nLinux filesystem embedded in small footprint systems. Aimage can be used without having to first\ndecompress the image.",
+ "descriptions": [
+ {
+ "data": "Removing support for unneeded filesystem types reduces the local attack surface\nof the server.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Mounting of cramfs\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"cramfs\",\n \"/etc/modprobe.d/cramfs.conf\",\n \"cramfs\",\n \"cramfs\"\n ],\n \"pre\": \"install cramfs /bin/true\",\n \"text\": \"To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.\\n\\nThefilesystem type is a compressed read-only\\nLinux filesystem embedded in small footprint systems. Aimage can be used without having to first\\ndecompress the image.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.4.6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000381\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000095-GPOS-00049\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.1.1\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"text\": \"Removing support for unneeded filesystem types reduces the local attack surface\\nof the server.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif LC_ALL=C grep -q -m 1 \\\"^install cramfs\\\" /etc/modprobe.d/cramfs.conf ; then\\n\\t\\n\\tsed -i 's#^install cramfs.*#install cramfs /bin/true#g' /etc/modprobe.d/cramfs.conf\\nelse\\n\\techo -e \\\"\\\\n# Disable per security requirements\\\" >> /etc/modprobe.d/cramfs.conf\\n\\techo \\\"install cramfs /bin/true\\\" >> /etc/modprobe.d/cramfs.conf\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"kernel_module_cramfs_disabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure kernel module 'cramfs' is disabled\\n lineinfile:\\n create: true\\n dest: /etc/modprobe.d/cramfs.conf\\n regexp: cramfs\\n line: install cramfs /bin/true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.4.6\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - kernel_module_cramfs_disabled\\n - low_complexity\\n - low_severity\\n - medium_disruption\\n - reboot_required\",\n \"id\": \"kernel_module_cramfs_disabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_cramfs_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_module_cramfs_disabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.\n\nThefilesystem type is a compressed read-only\nLinux filesystem embedded in small footprint systems. Aimage can be used without having to first\ndecompress the image.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "low",
+ "description": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.",
+ "group_id": "xccdf_org.ssgproject.content_group_mounting",
+ "group_title": "Restrict Dynamic Mounting and Unmounting of\nFilesystems",
+ "group_description": "Linux includes a number of facilities for the automated addition\nand removal of filesystems on a running system. These facilities may be\nnecessary in many environments, but this capability also carries some risk -- whether direct\nrisk from allowing users to introduce arbitrary filesystems,\nor risk that software flaws in the automated mount facility itself could\nallow an attacker to compromise the system.This command can be used to list the types of filesystems that are\navailable to the currently executing kernel:If these filesystems are not required then they can be explicitly disabled\nin a configuratio file in.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_freevxfs_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.4.6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.4.6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable Mounting of freevxfs",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled",
+ "desc": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-kernel_module_freevxfs_disabled:def:1",
+ "label": "check"
+ },
+ {
+ "data": "Linux kernel modules which implement filesystems that are not needed by the\nlocal system should be disabled.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Mounting of freevxfs\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"freevxfs\",\n \"/etc/modprobe.d/freevxfs.conf\"\n ],\n \"pre\": \"install freevxfs /bin/true\",\n \"text\": \"To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.4.6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Linux kernel modules which implement filesystems that are not needed by the\\nlocal system should be disabled.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif LC_ALL=C grep -q -m 1 \\\"^install freevxfs\\\" /etc/modprobe.d/freevxfs.conf ; then\\n\\t\\n\\tsed -i 's#^install freevxfs.*#install freevxfs /bin/true#g' /etc/modprobe.d/freevxfs.conf\\nelse\\n\\techo -e \\\"\\\\n# Disable per security requirements\\\" >> /etc/modprobe.d/freevxfs.conf\\n\\techo \\\"install freevxfs /bin/true\\\" >> /etc/modprobe.d/freevxfs.conf\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"kernel_module_freevxfs_disabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure kernel module 'freevxfs' is disabled\\n lineinfile:\\n create: true\\n dest: /etc/modprobe.d/freevxfs.conf\\n regexp: freevxfs\\n line: install freevxfs /bin/true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.4.6\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - kernel_module_freevxfs_disabled\\n - low_complexity\\n - low_severity\\n - medium_disruption\\n - reboot_required\",\n \"id\": \"kernel_module_freevxfs_disabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_freevxfs_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "low",
+ "description": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.",
+ "group_id": "xccdf_org.ssgproject.content_group_mounting",
+ "group_title": "Restrict Dynamic Mounting and Unmounting of\nFilesystems",
+ "group_description": "Linux includes a number of facilities for the automated addition\nand removal of filesystems on a running system. These facilities may be\nnecessary in many environments, but this capability also carries some risk -- whether direct\nrisk from allowing users to introduce arbitrary filesystems,\nor risk that software flaws in the automated mount facility itself could\nallow an attacker to compromise the system.This command can be used to list the types of filesystems that are\navailable to the currently executing kernel:If these filesystems are not required then they can be explicitly disabled\nin a configuratio file in.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_hfs_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.4.6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.4.6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable Mounting of hfs",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled",
+ "desc": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-kernel_module_hfs_disabled:def:1",
+ "label": "check"
+ },
+ {
+ "data": "Linux kernel modules which implement filesystems that are not needed by the\nlocal system should be disabled.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Mounting of hfs\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"hfs\",\n \"/etc/modprobe.d/hfs.conf\"\n ],\n \"pre\": \"install hfs /bin/true\",\n \"text\": \"To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.4.6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Linux kernel modules which implement filesystems that are not needed by the\\nlocal system should be disabled.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif LC_ALL=C grep -q -m 1 \\\"^install hfs\\\" /etc/modprobe.d/hfs.conf ; then\\n\\t\\n\\tsed -i 's#^install hfs.*#install hfs /bin/true#g' /etc/modprobe.d/hfs.conf\\nelse\\n\\techo -e \\\"\\\\n# Disable per security requirements\\\" >> /etc/modprobe.d/hfs.conf\\n\\techo \\\"install hfs /bin/true\\\" >> /etc/modprobe.d/hfs.conf\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"kernel_module_hfs_disabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure kernel module 'hfs' is disabled\\n lineinfile:\\n create: true\\n dest: /etc/modprobe.d/hfs.conf\\n regexp: hfs\\n line: install hfs /bin/true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.4.6\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - kernel_module_hfs_disabled\\n - low_complexity\\n - low_severity\\n - medium_disruption\\n - reboot_required\",\n \"id\": \"kernel_module_hfs_disabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_hfs_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "low",
+ "description": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.",
+ "group_id": "xccdf_org.ssgproject.content_group_mounting",
+ "group_title": "Restrict Dynamic Mounting and Unmounting of\nFilesystems",
+ "group_description": "Linux includes a number of facilities for the automated addition\nand removal of filesystems on a running system. These facilities may be\nnecessary in many environments, but this capability also carries some risk -- whether direct\nrisk from allowing users to introduce arbitrary filesystems,\nor risk that software flaws in the automated mount facility itself could\nallow an attacker to compromise the system.This command can be used to list the types of filesystems that are\navailable to the currently executing kernel:If these filesystems are not required then they can be explicitly disabled\nin a configuratio file in.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_hfsplus_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.4.6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.4.6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable Mounting of hfsplus",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled",
+ "desc": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-kernel_module_hfsplus_disabled:def:1",
+ "label": "check"
+ },
+ {
+ "data": "Linux kernel modules which implement filesystems that are not needed by the\nlocal system should be disabled.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Mounting of hfsplus\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"hfsplus\",\n \"/etc/modprobe.d/hfsplus.conf\"\n ],\n \"pre\": \"install hfsplus /bin/true\",\n \"text\": \"To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.4.6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Linux kernel modules which implement filesystems that are not needed by the\\nlocal system should be disabled.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif LC_ALL=C grep -q -m 1 \\\"^install hfsplus\\\" /etc/modprobe.d/hfsplus.conf ; then\\n\\t\\n\\tsed -i 's#^install hfsplus.*#install hfsplus /bin/true#g' /etc/modprobe.d/hfsplus.conf\\nelse\\n\\techo -e \\\"\\\\n# Disable per security requirements\\\" >> /etc/modprobe.d/hfsplus.conf\\n\\techo \\\"install hfsplus /bin/true\\\" >> /etc/modprobe.d/hfsplus.conf\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"kernel_module_hfsplus_disabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure kernel module 'hfsplus' is disabled\\n lineinfile:\\n create: true\\n dest: /etc/modprobe.d/hfsplus.conf\\n regexp: hfsplus\\n line: install hfsplus /bin/true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.4.6\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - kernel_module_hfsplus_disabled\\n - low_complexity\\n - low_severity\\n - medium_disruption\\n - reboot_required\",\n \"id\": \"kernel_module_hfsplus_disabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_hfsplus_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "low",
+ "description": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.",
+ "group_id": "xccdf_org.ssgproject.content_group_mounting",
+ "group_title": "Restrict Dynamic Mounting and Unmounting of\nFilesystems",
+ "group_description": "Linux includes a number of facilities for the automated addition\nand removal of filesystems on a running system. These facilities may be\nnecessary in many environments, but this capability also carries some risk -- whether direct\nrisk from allowing users to introduce arbitrary filesystems,\nor risk that software flaws in the automated mount facility itself could\nallow an attacker to compromise the system.This command can be used to list the types of filesystems that are\navailable to the currently executing kernel:If these filesystems are not required then they can be explicitly disabled\nin a configuratio file in.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_jffs2_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.4.6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.4.6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable Mounting of jffs2",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled",
+ "desc": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-kernel_module_jffs2_disabled:def:1",
+ "label": "check"
+ },
+ {
+ "data": "Linux kernel modules which implement filesystems that are not needed by the\nlocal system should be disabled.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Mounting of jffs2\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"jffs2\",\n \"/etc/modprobe.d/jffs2.conf\"\n ],\n \"pre\": \"install jffs2 /bin/true\",\n \"text\": \"To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.4.6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Linux kernel modules which implement filesystems that are not needed by the\\nlocal system should be disabled.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif LC_ALL=C grep -q -m 1 \\\"^install jffs2\\\" /etc/modprobe.d/jffs2.conf ; then\\n\\t\\n\\tsed -i 's#^install jffs2.*#install jffs2 /bin/true#g' /etc/modprobe.d/jffs2.conf\\nelse\\n\\techo -e \\\"\\\\n# Disable per security requirements\\\" >> /etc/modprobe.d/jffs2.conf\\n\\techo \\\"install jffs2 /bin/true\\\" >> /etc/modprobe.d/jffs2.conf\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"kernel_module_jffs2_disabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure kernel module 'jffs2' is disabled\\n lineinfile:\\n create: true\\n dest: /etc/modprobe.d/jffs2.conf\\n regexp: jffs2\\n line: install jffs2 /bin/true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.4.6\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - kernel_module_jffs2_disabled\\n - low_complexity\\n - low_severity\\n - medium_disruption\\n - reboot_required\",\n \"id\": \"kernel_module_jffs2_disabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_jffs2_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "low",
+ "description": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.\n\nThefilesystem type is the universal disk format\nused to implement the ISO/IEC 13346 and ECMA-167 specifications.\nThis is an open vendor filesystem type for data storage on a broad\nrange of media. This filesystem type is neccessary to support\nwriting DVDs and newer optical disc formats.",
+ "group_id": "xccdf_org.ssgproject.content_group_mounting",
+ "group_title": "Restrict Dynamic Mounting and Unmounting of\nFilesystems",
+ "group_description": "Linux includes a number of facilities for the automated addition\nand removal of filesystems on a running system. These facilities may be\nnecessary in many environments, but this capability also carries some risk -- whether direct\nrisk from allowing users to introduce arbitrary filesystems,\nor risk that software flaws in the automated mount facility itself could\nallow an attacker to compromise the system.This command can be used to list the types of filesystems that are\navailable to the currently executing kernel:If these filesystems are not required then they can be explicitly disabled\nin a configuratio file in.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_udf_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.4.6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "1.1.1.6",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.4.6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "1.1.1.6",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable Mounting of udf",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled",
+ "desc": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.\n\nThefilesystem type is the universal disk format\nused to implement the ISO/IEC 13346 and ECMA-167 specifications.\nThis is an open vendor filesystem type for data storage on a broad\nrange of media. This filesystem type is neccessary to support\nwriting DVDs and newer optical disc formats.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-kernel_module_udf_disabled:def:1",
+ "label": "check"
+ },
+ {
+ "data": "Removing support for unneeded filesystem types reduces the local\nattack surface of the system.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Mounting of udf\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"udf\",\n \"/etc/modprobe.d/udf.conf\",\n \"udf\"\n ],\n \"pre\": \"install udf /bin/true\",\n \"text\": \"To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.\\n\\nThefilesystem type is the universal disk format\\nused to implement the ISO/IEC 13346 and ECMA-167 specifications.\\nThis is an open vendor filesystem type for data storage on a broad\\nrange of media. This filesystem type is neccessary to support\\nwriting DVDs and newer optical disc formats.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.4.6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"1.1.1.6\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"text\": \"Removing support for unneeded filesystem types reduces the local\\nattack surface of the system.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif LC_ALL=C grep -q -m 1 \\\"^install udf\\\" /etc/modprobe.d/udf.conf ; then\\n\\t\\n\\tsed -i 's#^install udf.*#install udf /bin/true#g' /etc/modprobe.d/udf.conf\\nelse\\n\\techo -e \\\"\\\\n# Disable per security requirements\\\" >> /etc/modprobe.d/udf.conf\\n\\techo \\\"install udf /bin/true\\\" >> /etc/modprobe.d/udf.conf\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"kernel_module_udf_disabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure kernel module 'udf' is disabled\\n lineinfile:\\n create: true\\n dest: /etc/modprobe.d/udf.conf\\n regexp: udf\\n line: install udf /bin/true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.4.6\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - kernel_module_udf_disabled\\n - low_complexity\\n - low_severity\\n - medium_disruption\\n - reboot_required\",\n \"id\": \"kernel_module_udf_disabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_udf_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To configure the system to prevent thekernel module from being loaded, add the following line to the file:This effectively prevents usage of this uncommon filesystem.\n\nThefilesystem type is the universal disk format\nused to implement the ISO/IEC 13346 and ECMA-167 specifications.\nThis is an open vendor filesystem type for data storage on a broad\nrange of media. This filesystem type is neccessary to support\nwriting DVDs and newer optical disc formats.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001764"
+ ],
+ "nist": [
+ "CM-7 (2)",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a.",
+ "AC-6",
+ "AC-6 (1)",
+ "MP-7"
+ ],
+ "severity": "medium",
+ "description": "Themount option can be used to prevent creation of device\nfiles in. Legitimate character and block devices should\nnot exist within temporary directories like.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "group_id": "xccdf_org.ssgproject.content_group_partitions",
+ "group_title": "Restrict Partition Mount Options",
+ "group_description": "System partitions can be mounted with certain options\nthat limit what files on those partitions can do. These options\nare set in theconfiguration file, and can be\nused to make certain types of malicious behavior more difficult.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_dev_shm_nodev:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_dev_shm_nodev_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001764",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.9",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "MP-7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000368-GPOS-00154",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.14",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001764",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.9",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "MP-7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000368-GPOS-00154",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.14",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Add nodev Option to /dev/shm",
+ "id": "xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev",
+ "desc": "Themount option can be used to prevent creation of device\nfiles in. Legitimate character and block devices should\nnot exist within temporary directories like.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "descriptions": [
+ {
+ "data": "The only legitimate location for device files is thedirectory\nlocated on the root partition. The only exception to this is chroot jails.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Add nodev Option to /dev/shm\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"nodev\",\n \"/dev/shm\",\n \"/dev/shm\",\n \"nodev\",\n \"/etc/fstab\",\n \"/dev/shm\"\n ],\n \"text\": \"Themount option can be used to prevent creation of device\\nfiles in. Legitimate character and block devices should\\nnot exist within temporary directories like.\\nAdd theoption to the fourth column offor the line which controls mounting of.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001764\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.9\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"MP-7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000368-GPOS-00154\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.14\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": \"/dev\",\n \"text\": \"The only legitimate location for device files is thedirectory\\nlocated on the root partition. The only exception to this is chroot jails.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nfunction perform_remediation {\\n \\n\\n\\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" /dev/shm)\\\"\\n\\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\\n if [ \\\"$(grep -c \\\"$mount_point_match_regexp\\\" /etc/fstab)\\\" -eq 0 ]; then\\n # runtime opts without some automatic kernel/userspace-added defaults\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/mtab | head -1 | awk '{print $4}' \\\\\\n | sed -E \\\"s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//\\\")\\n [ \\\"$previous_mount_opts\\\" ] && previous_mount_opts+=\\\",\\\"\\n echo \\\"tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nodev 0 0\\\" >> /etc/fstab\\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\\n elif [ \\\"$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | grep -c \\\"nodev\\\")\\\" -eq 0 ]; then\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | awk '{print $4}')\\n sed -i \\\"s|\\\\(${mount_point_match_regexp}.*${previous_mount_opts}\\\\)|\\\\1,nodev|\\\" /etc/fstab\\n fi\\n\\n\\n if mkdir -p \\\"/dev/shm\\\"; then\\n if mountpoint -q \\\"/dev/shm\\\"; then\\n mount -o remount --target \\\"/dev/shm\\\"\\n else\\n mount --target \\\"/dev/shm\\\"\\n fi\\n fi\\n}\\n\\nperform_remediation\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"mount_option_dev_shm_nodev\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint'\\n command: findmnt '/dev/shm'\\n register: device_name\\n failed_when: device_name.rc > 1\\n changed_when: false\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_nodev\\n - no_reboot_needed\\n\\n- name: 'Add nodev Option to /dev/shm: Create mount_info dictionary variable'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - '{{ device_name.stdout_lines[0].split() | list | lower }}'\\n - '{{ device_name.stdout_lines[1].split() | list }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - device_name.stdout is defined and device_name.stdout_lines is defined\\n - (device_name.stdout | length > 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_nodev\\n - no_reboot_needed\\n\\n- name: 'Add nodev Option to /dev/shm: If /dev/shm not mounted, craft mount_info manually'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - - target\\n - source\\n - fstype\\n - options\\n - - /dev/shm\\n - tmpfs\\n - tmpfs\\n - defaults\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - (\\\"\\\" | length == 0)\\n - (device_name.stdout | length == 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_nodev\\n - no_reboot_needed\\n\\n- name: 'Add nodev Option to /dev/shm: Make sure nodev option is part of the to /dev/shm\\n options'\\n set_fact:\\n mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''\\n }) }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - mount_info is defined and \\\"nodev\\\" not in mount_info.options\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_nodev\\n - no_reboot_needed\\n\\n- name: 'Add nodev Option to /dev/shm: Ensure /dev/shm is mounted with nodev option'\\n mount:\\n path: /dev/shm\\n src: '{{ mount_info.source }}'\\n opts: '{{ mount_info.options }}'\\n state: mounted\\n fstype: '{{ mount_info.fstype }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - (device_name.stdout is defined and (device_name.stdout | length > 0)) or (\\\"\\\" |\\n length == 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_nodev\\n - no_reboot_needed\",\n \"id\": \"mount_option_dev_shm_nodev\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"high\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_dev_shm_nodev:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_dev_shm_nodev_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Themount option can be used to prevent creation of device\nfiles in. Legitimate character and block devices should\nnot exist within temporary directories like.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001764"
+ ],
+ "nist": [
+ "CM-7 (2)",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a.",
+ "AC-6",
+ "AC-6 (1)",
+ "MP-7"
+ ],
+ "severity": "medium",
+ "description": "Themount option can be used to prevent binaries\nfrom being executed out of.\nIt can be dangerous to allow the execution of binaries\nfrom world-writable temporary storage directories such as.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "group_id": "xccdf_org.ssgproject.content_group_partitions",
+ "group_title": "Restrict Partition Mount Options",
+ "group_description": "System partitions can be mounted with certain options\nthat limit what files on those partitions can do. These options\nare set in theconfiguration file, and can be\nused to make certain types of malicious behavior more difficult.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_dev_shm_noexec:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_dev_shm_noexec_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001764",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.9",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "MP-7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000368-GPOS-00154",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.16",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001764",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.9",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "MP-7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000368-GPOS-00154",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.16",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Add noexec Option to /dev/shm",
+ "id": "xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec",
+ "desc": "Themount option can be used to prevent binaries\nfrom being executed out of.\nIt can be dangerous to allow the execution of binaries\nfrom world-writable temporary storage directories such as.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "descriptions": [
+ {
+ "data": "Allowing users to execute binaries from world-writable directories\nsuch ascan expose the system to potential compromise.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Add noexec Option to /dev/shm\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"noexec\",\n \"/dev/shm\",\n \"/dev/shm\",\n \"noexec\",\n \"/etc/fstab\",\n \"/dev/shm\"\n ],\n \"text\": \"Themount option can be used to prevent binaries\\nfrom being executed out of.\\nIt can be dangerous to allow the execution of binaries\\nfrom world-writable temporary storage directories such as.\\nAdd theoption to the fourth column offor the line which controls mounting of.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001764\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.9\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"MP-7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000368-GPOS-00154\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.16\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": \"/dev/shm\",\n \"text\": \"Allowing users to execute binaries from world-writable directories\\nsuch ascan expose the system to potential compromise.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nfunction perform_remediation {\\n \\n\\n\\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" /dev/shm)\\\"\\n\\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\\n if [ \\\"$(grep -c \\\"$mount_point_match_regexp\\\" /etc/fstab)\\\" -eq 0 ]; then\\n # runtime opts without some automatic kernel/userspace-added defaults\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/mtab | head -1 | awk '{print $4}' \\\\\\n | sed -E \\\"s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//\\\")\\n [ \\\"$previous_mount_opts\\\" ] && previous_mount_opts+=\\\",\\\"\\n echo \\\"tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0\\\" >> /etc/fstab\\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\\n elif [ \\\"$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | grep -c \\\"noexec\\\")\\\" -eq 0 ]; then\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | awk '{print $4}')\\n sed -i \\\"s|\\\\(${mount_point_match_regexp}.*${previous_mount_opts}\\\\)|\\\\1,noexec|\\\" /etc/fstab\\n fi\\n\\n\\n if mkdir -p \\\"/dev/shm\\\"; then\\n if mountpoint -q \\\"/dev/shm\\\"; then\\n mount -o remount --target \\\"/dev/shm\\\"\\n else\\n mount --target \\\"/dev/shm\\\"\\n fi\\n fi\\n}\\n\\nperform_remediation\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"mount_option_dev_shm_noexec\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint'\\n command: findmnt '/dev/shm'\\n register: device_name\\n failed_when: device_name.rc > 1\\n changed_when: false\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_noexec\\n - no_reboot_needed\\n\\n- name: 'Add noexec Option to /dev/shm: Create mount_info dictionary variable'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - '{{ device_name.stdout_lines[0].split() | list | lower }}'\\n - '{{ device_name.stdout_lines[1].split() | list }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - device_name.stdout is defined and device_name.stdout_lines is defined\\n - (device_name.stdout | length > 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_noexec\\n - no_reboot_needed\\n\\n- name: 'Add noexec Option to /dev/shm: If /dev/shm not mounted, craft mount_info\\n manually'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - - target\\n - source\\n - fstype\\n - options\\n - - /dev/shm\\n - tmpfs\\n - tmpfs\\n - defaults\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - (\\\"\\\" | length == 0)\\n - (device_name.stdout | length == 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_noexec\\n - no_reboot_needed\\n\\n- name: 'Add noexec Option to /dev/shm: Make sure noexec option is part of the to\\n /dev/shm options'\\n set_fact:\\n mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''\\n }) }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - mount_info is defined and \\\"noexec\\\" not in mount_info.options\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_noexec\\n - no_reboot_needed\\n\\n- name: 'Add noexec Option to /dev/shm: Ensure /dev/shm is mounted with noexec option'\\n mount:\\n path: /dev/shm\\n src: '{{ mount_info.source }}'\\n opts: '{{ mount_info.options }}'\\n state: mounted\\n fstype: '{{ mount_info.fstype }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - (device_name.stdout is defined and (device_name.stdout | length > 0)) or (\\\"\\\" |\\n length == 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_noexec\\n - no_reboot_needed\",\n \"id\": \"mount_option_dev_shm_noexec\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"high\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_dev_shm_noexec:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_dev_shm_noexec_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Themount option can be used to prevent binaries\nfrom being executed out of.\nIt can be dangerous to allow the execution of binaries\nfrom world-writable temporary storage directories such as.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001764"
+ ],
+ "nist": [
+ "CM-7 (2)",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a.",
+ "AC-6",
+ "AC-6 (1)",
+ "MP-7"
+ ],
+ "severity": "medium",
+ "description": "Themount option can be used to prevent execution\nof setuid programs in. The SUID and SGID permissions should not\nbe required in these world-writable directories.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "group_id": "xccdf_org.ssgproject.content_group_partitions",
+ "group_title": "Restrict Partition Mount Options",
+ "group_description": "System partitions can be mounted with certain options\nthat limit what files on those partitions can do. These options\nare set in theconfiguration file, and can be\nused to make certain types of malicious behavior more difficult.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_dev_shm_nosuid:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_dev_shm_nosuid_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001764",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.9",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "MP-7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000368-GPOS-00154",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.15",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001764",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.9",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "MP-7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000368-GPOS-00154",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.15",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Add nosuid Option to /dev/shm",
+ "id": "xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid",
+ "desc": "Themount option can be used to prevent execution\nof setuid programs in. The SUID and SGID permissions should not\nbe required in these world-writable directories.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "descriptions": [
+ {
+ "data": "The presence of SUID and SGID executables should be tightly controlled. Users\nshould not be able to execute SUID or SGID binaries from temporary storage partitions.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Add nosuid Option to /dev/shm\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"nosuid\",\n \"/dev/shm\",\n \"nosuid\",\n \"/etc/fstab\",\n \"/dev/shm\"\n ],\n \"text\": \"Themount option can be used to prevent execution\\nof setuid programs in. The SUID and SGID permissions should not\\nbe required in these world-writable directories.\\nAdd theoption to the fourth column offor the line which controls mounting of.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001764\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.9\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"MP-7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000368-GPOS-00154\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.15\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"text\": \"The presence of SUID and SGID executables should be tightly controlled. Users\\nshould not be able to execute SUID or SGID binaries from temporary storage partitions.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nfunction perform_remediation {\\n \\n\\n\\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" /dev/shm)\\\"\\n\\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\\n if [ \\\"$(grep -c \\\"$mount_point_match_regexp\\\" /etc/fstab)\\\" -eq 0 ]; then\\n # runtime opts without some automatic kernel/userspace-added defaults\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/mtab | head -1 | awk '{print $4}' \\\\\\n | sed -E \\\"s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//\\\")\\n [ \\\"$previous_mount_opts\\\" ] && previous_mount_opts+=\\\",\\\"\\n echo \\\"tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}nosuid 0 0\\\" >> /etc/fstab\\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\\n elif [ \\\"$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | grep -c \\\"nosuid\\\")\\\" -eq 0 ]; then\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | awk '{print $4}')\\n sed -i \\\"s|\\\\(${mount_point_match_regexp}.*${previous_mount_opts}\\\\)|\\\\1,nosuid|\\\" /etc/fstab\\n fi\\n\\n\\n if mkdir -p \\\"/dev/shm\\\"; then\\n if mountpoint -q \\\"/dev/shm\\\"; then\\n mount -o remount --target \\\"/dev/shm\\\"\\n else\\n mount --target \\\"/dev/shm\\\"\\n fi\\n fi\\n}\\n\\nperform_remediation\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"mount_option_dev_shm_nosuid\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: 'Add nosuid Option to /dev/shm: Check information associated to mountpoint'\\n command: findmnt '/dev/shm'\\n register: device_name\\n failed_when: device_name.rc > 1\\n changed_when: false\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_nosuid\\n - no_reboot_needed\\n\\n- name: 'Add nosuid Option to /dev/shm: Create mount_info dictionary variable'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - '{{ device_name.stdout_lines[0].split() | list | lower }}'\\n - '{{ device_name.stdout_lines[1].split() | list }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - device_name.stdout is defined and device_name.stdout_lines is defined\\n - (device_name.stdout | length > 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_nosuid\\n - no_reboot_needed\\n\\n- name: 'Add nosuid Option to /dev/shm: If /dev/shm not mounted, craft mount_info\\n manually'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - - target\\n - source\\n - fstype\\n - options\\n - - /dev/shm\\n - tmpfs\\n - tmpfs\\n - defaults\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - (\\\"\\\" | length == 0)\\n - (device_name.stdout | length == 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_nosuid\\n - no_reboot_needed\\n\\n- name: 'Add nosuid Option to /dev/shm: Make sure nosuid option is part of the to\\n /dev/shm options'\\n set_fact:\\n mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''\\n }) }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - mount_info is defined and \\\"nosuid\\\" not in mount_info.options\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_nosuid\\n - no_reboot_needed\\n\\n- name: 'Add nosuid Option to /dev/shm: Ensure /dev/shm is mounted with nosuid option'\\n mount:\\n path: /dev/shm\\n src: '{{ mount_info.source }}'\\n opts: '{{ mount_info.options }}'\\n state: mounted\\n fstype: '{{ mount_info.fstype }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - (device_name.stdout is defined and (device_name.stdout | length > 0)) or (\\\"\\\" |\\n length == 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_dev_shm_nosuid\\n - no_reboot_needed\",\n \"id\": \"mount_option_dev_shm_nosuid\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"high\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_dev_shm_nosuid:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_dev_shm_nosuid_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Themount option can be used to prevent execution\nof setuid programs in. The SUID and SGID permissions should not\nbe required in these world-writable directories.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "unknown",
+ "description": "Themount option can be used to prevent device files from\nbeing created in.\nLegitimate character and block devices should exist only in\nthedirectory on the root partition or within chroot\njails built for system services.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "group_id": "xccdf_org.ssgproject.content_group_partitions",
+ "group_title": "Restrict Partition Mount Options",
+ "group_description": "System partitions can be mounted with certain options\nthat limit what files on those partitions can do. These options\nare set in theconfiguration file, and can be\nused to make certain types of malicious behavior more difficult.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_mount_option_home_nodev",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_home_nodev:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_home_nodev_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R12)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "SRG-OS-000368-GPOS-00154",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.13",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_mount_option_home_nodev",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R12)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "SRG-OS-000368-GPOS-00154",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.13",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Add nodev Option to /home",
+ "id": "xccdf_org.ssgproject.content_rule_mount_option_home_nodev",
+ "desc": "Themount option can be used to prevent device files from\nbeing created in.\nLegitimate character and block devices should exist only in\nthedirectory on the root partition or within chroot\njails built for system services.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "descriptions": [
+ {
+ "data": "The only legitimate location for device files is thedirectory\nlocated on the root partition. The only exception to this is chroot jails.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Add nodev Option to /home\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"nodev\",\n \"/home\",\n \"/dev\",\n \"nodev\",\n \"/etc/fstab\",\n \"/home\"\n ],\n \"text\": \"Themount option can be used to prevent device files from\\nbeing created in.\\nLegitimate character and block devices should exist only in\\nthedirectory on the root partition or within chroot\\njails built for system services.\\nAdd theoption to the fourth column offor the line which controls mounting of.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R12)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"SRG-OS-000368-GPOS-00154\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.13\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": \"/dev\",\n \"text\": \"The only legitimate location for device files is thedirectory\\nlocated on the root partition. The only exception to this is chroot jails.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nfunction perform_remediation {\\n \\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" \\\"/home\\\")\\\"\\n\\n grep \\\"$mount_point_match_regexp\\\" -q /etc/fstab \\\\\\n || { echo \\\"The mount point '/home' is not even in /etc/fstab, so we can't set up mount options\\\" >&2;\\n echo \\\"Not remediating, because there is no record of /home in /etc/fstab\\\" >&2; return 1; }\\n \\n\\n\\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" /home)\\\"\\n\\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\\n if [ \\\"$(grep -c \\\"$mount_point_match_regexp\\\" /etc/fstab)\\\" -eq 0 ]; then\\n # runtime opts without some automatic kernel/userspace-added defaults\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/mtab | head -1 | awk '{print $4}' \\\\\\n | sed -E \\\"s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//\\\")\\n [ \\\"$previous_mount_opts\\\" ] && previous_mount_opts+=\\\",\\\"\\n echo \\\" /home defaults,${previous_mount_opts}nodev 0 0\\\" >> /etc/fstab\\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\\n elif [ \\\"$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | grep -c \\\"nodev\\\")\\\" -eq 0 ]; then\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | awk '{print $4}')\\n sed -i \\\"s|\\\\(${mount_point_match_regexp}.*${previous_mount_opts}\\\\)|\\\\1,nodev|\\\" /etc/fstab\\n fi\\n\\n\\n if mkdir -p \\\"/home\\\"; then\\n if mountpoint -q \\\"/home\\\"; then\\n mount -o remount --target \\\"/home\\\"\\n else\\n mount --target \\\"/home\\\"\\n fi\\n fi\\n}\\n\\nperform_remediation\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"mount_option_home_nodev\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: 'Add nodev Option to /home: Check information associated to mountpoint'\\n command: findmnt --fstab '/home'\\n register: device_name\\n failed_when: device_name.rc > 1\\n changed_when: false\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - mount_option_home_nodev\\n - no_reboot_needed\\n - unknown_severity\\n\\n- name: 'Add nodev Option to /home: Create mount_info dictionary variable'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - '{{ device_name.stdout_lines[0].split() | list | lower }}'\\n - '{{ device_name.stdout_lines[1].split() | list }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - device_name.stdout is defined and device_name.stdout_lines is defined\\n - (device_name.stdout | length > 0)\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - mount_option_home_nodev\\n - no_reboot_needed\\n - unknown_severity\\n\\n- name: 'Add nodev Option to /home: If /home not mounted, craft mount_info manually'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - - target\\n - source\\n - fstype\\n - options\\n - - /home\\n - ''\\n - ''\\n - defaults\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - (\\\"--fstab\\\" | length == 0)\\n - (device_name.stdout | length == 0)\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - mount_option_home_nodev\\n - no_reboot_needed\\n - unknown_severity\\n\\n- name: 'Add nodev Option to /home: Make sure nodev option is part of the to /home\\n options'\\n set_fact:\\n mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''\\n }) }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - mount_info is defined and \\\"nodev\\\" not in mount_info.options\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - mount_option_home_nodev\\n - no_reboot_needed\\n - unknown_severity\\n\\n- name: 'Add nodev Option to /home: Ensure /home is mounted with nodev option'\\n mount:\\n path: /home\\n src: '{{ mount_info.source }}'\\n opts: '{{ mount_info.options }}'\\n state: mounted\\n fstype: '{{ mount_info.fstype }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - (device_name.stdout is defined and (device_name.stdout | length > 0)) or (\\\"--fstab\\\"\\n | length == 0)\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - mount_option_home_nodev\\n - no_reboot_needed\\n - unknown_severity\",\n \"id\": \"mount_option_home_nodev\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"high\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_home_nodev:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_home_nodev_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_mount_option_home_nodev\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Themount option can be used to prevent device files from\nbeing created in.\nLegitimate character and block devices should exist only in\nthedirectory on the root partition or within chroot\njails built for system services.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a.",
+ "AC-6",
+ "AC-6 (1)",
+ "MP-7"
+ ],
+ "severity": "medium",
+ "description": "Themount option prevents files from being\ninterpreted as character or block devices.\nLegitimate character and block devices should exist only in\nthedirectory on the root partition or within chroot\njails built for system services.\nAdd theoption to the fourth column offor the line which controls mounting of\n\n any removable media partitions.",
+ "group_id": "xccdf_org.ssgproject.content_group_partitions",
+ "group_title": "Restrict Partition Mount Options",
+ "group_description": "System partitions can be mounted with certain options\nthat limit what files on those partitions can do. These options\nare set in theconfiguration file, and can be\nused to make certain types of malicious behavior more difficult.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_removable_partition:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_removable_partition\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_nodev_removable_partitions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_nodev_removable_partitions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.9",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "MP-7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.17",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Removable Partition",
+ "lang": "en-US"
+ },
+ "description": "This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions,\nand mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from\nremovable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable\npartitions that are required on the local system.",
+ "value": {
+ "text": "/dev/cdrom",
+ "selector": "dev_cdrom"
+ },
+ "id": "xccdf_org.ssgproject.content_value_var_removable_partition",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.9",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "MP-7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.17",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Add nodev Option to Removable Media Partitions",
+ "id": "xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions",
+ "desc": "Themount option prevents files from being\ninterpreted as character or block devices.\nLegitimate character and block devices should exist only in\nthedirectory on the root partition or within chroot\njails built for system services.\nAdd theoption to the fourth column offor the line which controls mounting of\n\n any removable media partitions.",
+ "descriptions": [
+ {
+ "data": "The only legitimate location for device files is thedirectory\nlocated on the root partition. An exception to this is chroot jails, and it is\nnot advised to seton partitions which contain their root\nfilesystems.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Add nodev Option to Removable Media Partitions\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"nodev\",\n \"/dev\",\n \"nodev\",\n \"/etc/fstab\"\n ],\n \"text\": \"Themount option prevents files from being\\ninterpreted as character or block devices.\\nLegitimate character and block devices should exist only in\\nthedirectory on the root partition or within chroot\\njails built for system services.\\nAdd theoption to the fourth column offor the line which controls mounting of\\n\\n any removable media partitions.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.9\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"MP-7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.17\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"/dev\",\n \"nodev\"\n ],\n \"text\": \"The only legitimate location for device files is thedirectory\\nlocated on the root partition. An exception to this is chroot jails, and it is\\nnot advised to seton partitions which contain their root\\nfilesystems.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_removable_partition\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nvar_removable_partition=''\\n\\n\\ndevice_regex=\\\"^\\\\s*$var_removable_partition\\\\s\\\\+\\\"\\nmount_option=\\\"nodev\\\"\\n\\nif grep -q $device_regex /etc/fstab ; then\\n previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}')\\n sed -i \\\"s|\\\\($device_regex.*$previous_opts\\\\)|\\\\1,$mount_option|\\\" /etc/fstab\\nelse\\n echo \\\"Not remediating, because there is no record of $var_removable_partition in /etc/fstab\\\" >&2\\n return 1\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"mount_option_nodev_removable_partitions\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_removable_partition\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: XCCDF Value var_removable_partition # promote to variable\\n set_fact:\\n var_removable_partition: !!strtags:\\n - always\\n\\n- name: Ensure permission nodev are set on var_removable_partition\\n lineinfile:\\n path: /etc/fstab\\n regexp: ^\\\\s*({{ var_removable_partition }})\\\\s+([^\\\\s]*)\\\\s+([^\\\\s]*)\\\\s+([^\\\\s]*)(.*)$\\n backrefs: true\\n line: \\\\1 \\\\2 \\\\3 \\\\4,nodev \\\\5\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_nodev_removable_partitions\\n - no_reboot_needed\",\n \"id\": \"mount_option_nodev_removable_partitions\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"high\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_removable_partition:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_removable_partition\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_nodev_removable_partitions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_nodev_removable_partitions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Themount option prevents files from being\ninterpreted as character or block devices.\nLegitimate character and block devices should exist only in\nthedirectory on the root partition or within chroot\njails built for system services.\nAdd theoption to the fourth column offor the line which controls mounting of\n\n any removable media partitions.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000087",
+ "CCI-000366"
+ ],
+ "nist": [
+ "AC-19 e",
+ "CM-6 b",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a.",
+ "AC-6",
+ "AC-6 (1)",
+ "MP-7"
+ ],
+ "severity": "medium",
+ "description": "Themount option prevents the direct execution of binaries\non the mounted filesystem. Preventing the direct execution of binaries from\nremovable media (such as a USB key) provides a defense against malicious\nsoftware that may be present on such untrusted media.\nAdd theoption to the fourth column offor the line which controls mounting of\n\n any removable media partitions.",
+ "group_id": "xccdf_org.ssgproject.content_group_partitions",
+ "group_title": "Restrict Partition Mount Options",
+ "group_description": "System partitions can be mounted with certain options\nthat limit what files on those partitions can do. These options\nare set in theconfiguration file, and can be\nused to make certain types of malicious behavior more difficult.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_removable_partition:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_removable_partition\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_noexec_removable_partitions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_noexec_removable_partitions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000087",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.9",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "MP-7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.19",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Removable Partition",
+ "lang": "en-US"
+ },
+ "description": "This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions,\nand mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from\nremovable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable\npartitions that are required on the local system.",
+ "value": {
+ "text": "/dev/cdrom",
+ "selector": "dev_cdrom"
+ },
+ "id": "xccdf_org.ssgproject.content_value_var_removable_partition",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000087",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.9",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "MP-7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.19",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Add noexec Option to Removable Media Partitions",
+ "id": "xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions",
+ "desc": "Themount option prevents the direct execution of binaries\non the mounted filesystem. Preventing the direct execution of binaries from\nremovable media (such as a USB key) provides a defense against malicious\nsoftware that may be present on such untrusted media.\nAdd theoption to the fourth column offor the line which controls mounting of\n\n any removable media partitions.",
+ "descriptions": [
+ {
+ "data": "Allowing users to execute binaries from removable media such as USB keys exposes\nthe system to potential compromise.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Add noexec Option to Removable Media Partitions\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"noexec\",\n \"noexec\",\n \"/etc/fstab\"\n ],\n \"text\": \"Themount option prevents the direct execution of binaries\\non the mounted filesystem. Preventing the direct execution of binaries from\\nremovable media (such as a USB key) provides a defense against malicious\\nsoftware that may be present on such untrusted media.\\nAdd theoption to the fourth column offor the line which controls mounting of\\n\\n any removable media partitions.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000087\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.9\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"MP-7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.19\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"text\": \"Allowing users to execute binaries from removable media such as USB keys exposes\\nthe system to potential compromise.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_removable_partition\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nvar_removable_partition=''\\n\\n\\ndevice_regex=\\\"^\\\\s*$var_removable_partition\\\\s\\\\+\\\"\\nmount_option=\\\"noexec\\\"\\n\\nif grep -q $device_regex /etc/fstab ; then\\n previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}')\\n sed -i \\\"s|\\\\($device_regex.*$previous_opts\\\\)|\\\\1,$mount_option|\\\" /etc/fstab\\nelse\\n echo \\\"Not remediating, because there is no record of $var_removable_partition in /etc/fstab\\\" >&2\\n return 1\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"mount_option_noexec_removable_partitions\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_removable_partition\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: XCCDF Value var_removable_partition # promote to variable\\n set_fact:\\n var_removable_partition: !!strtags:\\n - always\\n\\n- name: Ensure permission noexec are set on var_removable_partition\\n lineinfile:\\n path: /etc/fstab\\n regexp: ^\\\\s*({{ var_removable_partition }})\\\\s+([^\\\\s]*)\\\\s+([^\\\\s]*)\\\\s+([^\\\\s]*)(.*)$\\n backrefs: true\\n line: \\\\1 \\\\2 \\\\3 \\\\4,noexec \\\\5\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_noexec_removable_partitions\\n - no_reboot_needed\",\n \"id\": \"mount_option_noexec_removable_partitions\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"high\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_removable_partition:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_removable_partition\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_noexec_removable_partitions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_noexec_removable_partitions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Themount option prevents the direct execution of binaries\non the mounted filesystem. Preventing the direct execution of binaries from\nremovable media (such as a USB key) provides a defense against malicious\nsoftware that may be present on such untrusted media.\nAdd theoption to the fourth column offor the line which controls mounting of\n\n any removable media partitions.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a.",
+ "AC-6",
+ "AC-6 (1)",
+ "MP-7"
+ ],
+ "severity": "medium",
+ "description": "Themount option prevents set-user-identifier (SUID)\nand set-group-identifier (SGID) permissions from taking effect. These permissions\nallow users to execute binaries with the same permissions as the owner and group\nof the file respectively. Users should not be allowed to introduce SUID and SGID\nfiles into the system via partitions mounted from removeable media.\nAdd theoption to the fourth column offor the line which controls mounting of\n\n any removable media partitions.",
+ "group_id": "xccdf_org.ssgproject.content_group_partitions",
+ "group_title": "Restrict Partition Mount Options",
+ "group_description": "System partitions can be mounted with certain options\nthat limit what files on those partitions can do. These options\nare set in theconfiguration file, and can be\nused to make certain types of malicious behavior more difficult.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_removable_partition:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_removable_partition\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_nosuid_removable_partitions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_nosuid_removable_partitions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.9",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "MP-7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.18",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Removable Partition",
+ "lang": "en-US"
+ },
+ "description": "This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions,\nand mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from\nremovable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable\npartitions that are required on the local system.",
+ "value": {
+ "text": "/dev/cdrom",
+ "selector": "dev_cdrom"
+ },
+ "id": "xccdf_org.ssgproject.content_value_var_removable_partition",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.9",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "MP-7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.18",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Add nosuid Option to Removable Media Partitions",
+ "id": "xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions",
+ "desc": "Themount option prevents set-user-identifier (SUID)\nand set-group-identifier (SGID) permissions from taking effect. These permissions\nallow users to execute binaries with the same permissions as the owner and group\nof the file respectively. Users should not be allowed to introduce SUID and SGID\nfiles into the system via partitions mounted from removeable media.\nAdd theoption to the fourth column offor the line which controls mounting of\n\n any removable media partitions.",
+ "descriptions": [
+ {
+ "data": "The presence of SUID and SGID executables should be tightly controlled. Allowing\nusers to introduce SUID or SGID binaries from partitions mounted off of\nremovable media would allow them to introduce their own highly-privileged programs.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Add nosuid Option to Removable Media Partitions\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"nosuid\",\n \"nosuid\",\n \"/etc/fstab\"\n ],\n \"text\": \"Themount option prevents set-user-identifier (SUID)\\nand set-group-identifier (SGID) permissions from taking effect. These permissions\\nallow users to execute binaries with the same permissions as the owner and group\\nof the file respectively. Users should not be allowed to introduce SUID and SGID\\nfiles into the system via partitions mounted from removeable media.\\nAdd theoption to the fourth column offor the line which controls mounting of\\n\\n any removable media partitions.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.9\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"MP-7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.18\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"text\": \"The presence of SUID and SGID executables should be tightly controlled. Allowing\\nusers to introduce SUID or SGID binaries from partitions mounted off of\\nremovable media would allow them to introduce their own highly-privileged programs.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_removable_partition\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nvar_removable_partition=''\\n\\n\\ndevice_regex=\\\"^\\\\s*$var_removable_partition\\\\s\\\\+\\\"\\nmount_option=\\\"nosuid\\\"\\n\\nif grep -q $device_regex /etc/fstab ; then\\n previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}')\\n sed -i \\\"s|\\\\($device_regex.*$previous_opts\\\\)|\\\\1,$mount_option|\\\" /etc/fstab\\nelse\\n echo \\\"Not remediating, because there is no record of $var_removable_partition in /etc/fstab\\\" >&2\\n return 1\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"mount_option_nosuid_removable_partitions\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_removable_partition\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: XCCDF Value var_removable_partition # promote to variable\\n set_fact:\\n var_removable_partition: !!strtags:\\n - always\\n\\n- name: Ensure permission nosuid are set on var_removable_partition\\n lineinfile:\\n path: /etc/fstab\\n regexp: ^\\\\s*({{ var_removable_partition }})\\\\s+([^\\\\s]*)\\\\s+([^\\\\s]*)\\\\s+([^\\\\s]*)(.*)$\\n backrefs: true\\n line: \\\\1 \\\\2 \\\\3 \\\\4,nosuid \\\\5\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_nosuid_removable_partitions\\n - no_reboot_needed\",\n \"id\": \"mount_option_nosuid_removable_partitions\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"high\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_removable_partition:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_removable_partition\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_nosuid_removable_partitions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_nosuid_removable_partitions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Themount option prevents set-user-identifier (SUID)\nand set-group-identifier (SGID) permissions from taking effect. These permissions\nallow users to execute binaries with the same permissions as the owner and group\nof the file respectively. Users should not be allowed to introduce SUID and SGID\nfiles into the system via partitions mounted from removeable media.\nAdd theoption to the fourth column offor the line which controls mounting of\n\n any removable media partitions.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001764"
+ ],
+ "nist": [
+ "CM-7 (2)",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a.",
+ "AC-6",
+ "AC-6 (1)",
+ "MP-7"
+ ],
+ "severity": "medium",
+ "description": "Themount option can be used to prevent device files from\nbeing created in. Legitimate character and block devices\nshould not exist within temporary directories like.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "group_id": "xccdf_org.ssgproject.content_group_partitions",
+ "group_title": "Restrict Partition Mount Options",
+ "group_description": "System partitions can be mounted with certain options\nthat limit what files on those partitions can do. These options\nare set in theconfiguration file, and can be\nused to make certain types of malicious behavior more difficult.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_tmp_nodev:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R12)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001764",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.9",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "MP-7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000368-GPOS-00154",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.3",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R12)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001764",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.9",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "MP-7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000368-GPOS-00154",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.3",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Add nodev Option to /tmp",
+ "id": "xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev",
+ "desc": "Themount option can be used to prevent device files from\nbeing created in. Legitimate character and block devices\nshould not exist within temporary directories like.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "descriptions": [
+ {
+ "data": "The only legitimate location for device files is thedirectory\nlocated on the root partition. The only exception to this is chroot jails.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Add nodev Option to /tmp\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"nodev\",\n \"/tmp\",\n \"/tmp\",\n \"nodev\",\n \"/etc/fstab\",\n \"/tmp\"\n ],\n \"text\": \"Themount option can be used to prevent device files from\\nbeing created in. Legitimate character and block devices\\nshould not exist within temporary directories like.\\nAdd theoption to the fourth column offor the line which controls mounting of.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R12)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001764\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.9\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"MP-7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000368-GPOS-00154\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.3\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": \"/dev\",\n \"text\": \"The only legitimate location for device files is thedirectory\\nlocated on the root partition. The only exception to this is chroot jails.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine_and_partition-tmp\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel \\\"/tmp\\\" > /dev/null ); then\\n\\nfunction perform_remediation {\\n \\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" \\\"/tmp\\\")\\\"\\n\\n grep \\\"$mount_point_match_regexp\\\" -q /etc/fstab \\\\\\n || { echo \\\"The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options\\\" >&2;\\n echo \\\"Not remediating, because there is no record of /tmp in /etc/fstab\\\" >&2; return 1; }\\n \\n\\n\\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" /tmp)\\\"\\n\\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\\n if [ \\\"$(grep -c \\\"$mount_point_match_regexp\\\" /etc/fstab)\\\" -eq 0 ]; then\\n # runtime opts without some automatic kernel/userspace-added defaults\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/mtab | head -1 | awk '{print $4}' \\\\\\n | sed -E \\\"s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//\\\")\\n [ \\\"$previous_mount_opts\\\" ] && previous_mount_opts+=\\\",\\\"\\n echo \\\" /tmp defaults,${previous_mount_opts}nodev 0 0\\\" >> /etc/fstab\\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\\n elif [ \\\"$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | grep -c \\\"nodev\\\")\\\" -eq 0 ]; then\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | awk '{print $4}')\\n sed -i \\\"s|\\\\(${mount_point_match_regexp}.*${previous_mount_opts}\\\\)|\\\\1,nodev|\\\" /etc/fstab\\n fi\\n\\n\\n if mkdir -p \\\"/tmp\\\"; then\\n if mountpoint -q \\\"/tmp\\\"; then\\n mount -o remount --target \\\"/tmp\\\"\\n else\\n mount --target \\\"/tmp\\\"\\n fi\\n fi\\n}\\n\\nperform_remediation\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"mount_option_tmp_nodev\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: 'Add nodev Option to /tmp: Check information associated to mountpoint'\\n command: findmnt --fstab '/tmp'\\n register: device_name\\n failed_when: device_name.rc > 1\\n changed_when: false\\n when: ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\",\\n \\\"container\\\"] and \\\"/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_tmp_nodev\\n - no_reboot_needed\\n\\n- name: 'Add nodev Option to /tmp: Create mount_info dictionary variable'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - '{{ device_name.stdout_lines[0].split() | list | lower }}'\\n - '{{ device_name.stdout_lines[1].split() | list }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - device_name.stdout is defined and device_name.stdout_lines is defined\\n - (device_name.stdout | length > 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_tmp_nodev\\n - no_reboot_needed\\n\\n- name: 'Add nodev Option to /tmp: If /tmp not mounted, craft mount_info manually'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - - target\\n - source\\n - fstype\\n - options\\n - - /tmp\\n - ''\\n - ''\\n - defaults\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - (\\\"--fstab\\\" | length == 0)\\n - (device_name.stdout | length == 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_tmp_nodev\\n - no_reboot_needed\\n\\n- name: 'Add nodev Option to /tmp: Make sure nodev option is part of the to /tmp options'\\n set_fact:\\n mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''\\n }) }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - mount_info is defined and \\\"nodev\\\" not in mount_info.options\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_tmp_nodev\\n - no_reboot_needed\\n\\n- name: 'Add nodev Option to /tmp: Ensure /tmp is mounted with nodev option'\\n mount:\\n path: /tmp\\n src: '{{ mount_info.source }}'\\n opts: '{{ mount_info.options }}'\\n state: mounted\\n fstype: '{{ mount_info.fstype }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - (device_name.stdout is defined and (device_name.stdout | length > 0)) or (\\\"--fstab\\\"\\n | length == 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_tmp_nodev\\n - no_reboot_needed\",\n \"id\": \"mount_option_tmp_nodev\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"high\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_tmp_nodev:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Themount option can be used to prevent device files from\nbeing created in. Legitimate character and block devices\nshould not exist within temporary directories like.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001764"
+ ],
+ "nist": [
+ "CM-7 (2)",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a.",
+ "AC-6",
+ "AC-6 (1)",
+ "MP-7"
+ ],
+ "severity": "medium",
+ "description": "Themount option can be used to prevent\nexecution of setuid programs in. The SUID and SGID permissions\nshould not be required in these world-writable directories.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "group_id": "xccdf_org.ssgproject.content_group_partitions",
+ "group_title": "Restrict Partition Mount Options",
+ "group_description": "System partitions can be mounted with certain options\nthat limit what files on those partitions can do. These options\nare set in theconfiguration file, and can be\nused to make certain types of malicious behavior more difficult.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_tmp_nosuid:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_tmp_nosuid_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R12)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001764",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.9",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.3.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "MP-7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000368-GPOS-00154",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.4",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R12)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001764",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.9",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.3.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "MP-7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000368-GPOS-00154",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.4",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Add nosuid Option to /tmp",
+ "id": "xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid",
+ "desc": "Themount option can be used to prevent\nexecution of setuid programs in. The SUID and SGID permissions\nshould not be required in these world-writable directories.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "descriptions": [
+ {
+ "data": "The presence of SUID and SGID executables should be tightly controlled. Users\nshould not be able to execute SUID or SGID binaries from temporary storage partitions.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Add nosuid Option to /tmp\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"nosuid\",\n \"/tmp\",\n \"nosuid\",\n \"/etc/fstab\",\n \"/tmp\"\n ],\n \"text\": \"Themount option can be used to prevent\\nexecution of setuid programs in. The SUID and SGID permissions\\nshould not be required in these world-writable directories.\\nAdd theoption to the fourth column offor the line which controls mounting of.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R12)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001764\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.9\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.3.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"MP-7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000368-GPOS-00154\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.4\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"text\": \"The presence of SUID and SGID executables should be tightly controlled. Users\\nshould not be able to execute SUID or SGID binaries from temporary storage partitions.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine_and_partition-tmp\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel \\\"/tmp\\\" > /dev/null ); then\\n\\nfunction perform_remediation {\\n \\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" \\\"/tmp\\\")\\\"\\n\\n grep \\\"$mount_point_match_regexp\\\" -q /etc/fstab \\\\\\n || { echo \\\"The mount point '/tmp' is not even in /etc/fstab, so we can't set up mount options\\\" >&2;\\n echo \\\"Not remediating, because there is no record of /tmp in /etc/fstab\\\" >&2; return 1; }\\n \\n\\n\\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" /tmp)\\\"\\n\\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\\n if [ \\\"$(grep -c \\\"$mount_point_match_regexp\\\" /etc/fstab)\\\" -eq 0 ]; then\\n # runtime opts without some automatic kernel/userspace-added defaults\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/mtab | head -1 | awk '{print $4}' \\\\\\n | sed -E \\\"s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//\\\")\\n [ \\\"$previous_mount_opts\\\" ] && previous_mount_opts+=\\\",\\\"\\n echo \\\" /tmp defaults,${previous_mount_opts}nosuid 0 0\\\" >> /etc/fstab\\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\\n elif [ \\\"$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | grep -c \\\"nosuid\\\")\\\" -eq 0 ]; then\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | awk '{print $4}')\\n sed -i \\\"s|\\\\(${mount_point_match_regexp}.*${previous_mount_opts}\\\\)|\\\\1,nosuid|\\\" /etc/fstab\\n fi\\n\\n\\n if mkdir -p \\\"/tmp\\\"; then\\n if mountpoint -q \\\"/tmp\\\"; then\\n mount -o remount --target \\\"/tmp\\\"\\n else\\n mount --target \\\"/tmp\\\"\\n fi\\n fi\\n}\\n\\nperform_remediation\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"mount_option_tmp_nosuid\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: 'Add nosuid Option to /tmp: Check information associated to mountpoint'\\n command: findmnt --fstab '/tmp'\\n register: device_name\\n failed_when: device_name.rc > 1\\n changed_when: false\\n when: ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\",\\n \\\"container\\\"] and \\\"/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_tmp_nosuid\\n - no_reboot_needed\\n\\n- name: 'Add nosuid Option to /tmp: Create mount_info dictionary variable'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - '{{ device_name.stdout_lines[0].split() | list | lower }}'\\n - '{{ device_name.stdout_lines[1].split() | list }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - device_name.stdout is defined and device_name.stdout_lines is defined\\n - (device_name.stdout | length > 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_tmp_nosuid\\n - no_reboot_needed\\n\\n- name: 'Add nosuid Option to /tmp: If /tmp not mounted, craft mount_info manually'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - - target\\n - source\\n - fstype\\n - options\\n - - /tmp\\n - ''\\n - ''\\n - defaults\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - (\\\"--fstab\\\" | length == 0)\\n - (device_name.stdout | length == 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_tmp_nosuid\\n - no_reboot_needed\\n\\n- name: 'Add nosuid Option to /tmp: Make sure nosuid option is part of the to /tmp\\n options'\\n set_fact:\\n mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''\\n }) }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - mount_info is defined and \\\"nosuid\\\" not in mount_info.options\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_tmp_nosuid\\n - no_reboot_needed\\n\\n- name: 'Add nosuid Option to /tmp: Ensure /tmp is mounted with nosuid option'\\n mount:\\n path: /tmp\\n src: '{{ mount_info.source }}'\\n opts: '{{ mount_info.options }}'\\n state: mounted\\n fstype: '{{ mount_info.fstype }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - (device_name.stdout is defined and (device_name.stdout | length > 0)) or (\\\"--fstab\\\"\\n | length == 0)\\n tags:\\n - NIST-800-53-AC-6\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-MP-7\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_tmp_nosuid\\n - no_reboot_needed\",\n \"id\": \"mount_option_tmp_nosuid\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"high\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_tmp_nosuid:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_tmp_nosuid_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Themount option can be used to prevent\nexecution of setuid programs in. The SUID and SGID permissions\nshould not be required in these world-writable directories.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001764"
+ ],
+ "nist": [
+ "CM-7 (2)"
+ ],
+ "severity": "medium",
+ "description": "Themount option can be used to prevent device files from\nbeing created in. Legitimate character and block devices\nshould not exist within temporary directories like.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "group_id": "xccdf_org.ssgproject.content_group_partitions",
+ "group_title": "Restrict Partition Mount Options",
+ "group_description": "System partitions can be mounted with certain options\nthat limit what files on those partitions can do. These options\nare set in theconfiguration file, and can be\nused to make certain types of malicious behavior more difficult.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_var_tmp_nodev:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_var_tmp_nodev_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R12)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "CCI-001764",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000368-GPOS-00154",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.7",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R12)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "CCI-001764",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000368-GPOS-00154",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.7",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Add nodev Option to /var/tmp",
+ "id": "xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev",
+ "desc": "Themount option can be used to prevent device files from\nbeing created in. Legitimate character and block devices\nshould not exist within temporary directories like.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "descriptions": [
+ {
+ "data": "The only legitimate location for device files is thedirectory\nlocated on the root partition. The only exception to this is chroot jails.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Add nodev Option to /var/tmp\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"nodev\",\n \"/var/tmp\",\n \"/var/tmp\",\n \"nodev\",\n \"/etc/fstab\",\n \"/var/tmp\"\n ],\n \"text\": \"Themount option can be used to prevent device files from\\nbeing created in. Legitimate character and block devices\\nshould not exist within temporary directories like.\\nAdd theoption to the fourth column offor the line which controls mounting of.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R12)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"CCI-001764\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000368-GPOS-00154\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.7\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": \"/dev\",\n \"text\": \"The only legitimate location for device files is thedirectory\\nlocated on the root partition. The only exception to this is chroot jails.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine_and_partition-var-tmp\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel \\\"/var/tmp\\\" > /dev/null ); then\\n\\nfunction perform_remediation {\\n \\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" \\\"/var/tmp\\\")\\\"\\n\\n grep \\\"$mount_point_match_regexp\\\" -q /etc/fstab \\\\\\n || { echo \\\"The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options\\\" >&2;\\n echo \\\"Not remediating, because there is no record of /var/tmp in /etc/fstab\\\" >&2; return 1; }\\n \\n\\n\\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" /var/tmp)\\\"\\n\\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\\n if [ \\\"$(grep -c \\\"$mount_point_match_regexp\\\" /etc/fstab)\\\" -eq 0 ]; then\\n # runtime opts without some automatic kernel/userspace-added defaults\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/mtab | head -1 | awk '{print $4}' \\\\\\n | sed -E \\\"s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//\\\")\\n [ \\\"$previous_mount_opts\\\" ] && previous_mount_opts+=\\\",\\\"\\n echo \\\" /var/tmp defaults,${previous_mount_opts}nodev 0 0\\\" >> /etc/fstab\\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\\n elif [ \\\"$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | grep -c \\\"nodev\\\")\\\" -eq 0 ]; then\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | awk '{print $4}')\\n sed -i \\\"s|\\\\(${mount_point_match_regexp}.*${previous_mount_opts}\\\\)|\\\\1,nodev|\\\" /etc/fstab\\n fi\\n\\n\\n if mkdir -p \\\"/var/tmp\\\"; then\\n if mountpoint -q \\\"/var/tmp\\\"; then\\n mount -o remount --target \\\"/var/tmp\\\"\\n else\\n mount --target \\\"/var/tmp\\\"\\n fi\\n fi\\n}\\n\\nperform_remediation\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"mount_option_var_tmp_nodev\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: 'Add nodev Option to /var/tmp: Check information associated to mountpoint'\\n command: findmnt --fstab '/var/tmp'\\n register: device_name\\n failed_when: device_name.rc > 1\\n changed_when: false\\n when: ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\",\\n \\\"container\\\"] and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list\\n )\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_nodev\\n - no_reboot_needed\\n\\n- name: 'Add nodev Option to /var/tmp: Create mount_info dictionary variable'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - '{{ device_name.stdout_lines[0].split() | list | lower }}'\\n - '{{ device_name.stdout_lines[1].split() | list }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - device_name.stdout is defined and device_name.stdout_lines is defined\\n - (device_name.stdout | length > 0)\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_nodev\\n - no_reboot_needed\\n\\n- name: 'Add nodev Option to /var/tmp: If /var/tmp not mounted, craft mount_info manually'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - - target\\n - source\\n - fstype\\n - options\\n - - /var/tmp\\n - ''\\n - ''\\n - defaults\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - (\\\"--fstab\\\" | length == 0)\\n - (device_name.stdout | length == 0)\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_nodev\\n - no_reboot_needed\\n\\n- name: 'Add nodev Option to /var/tmp: Make sure nodev option is part of the to /var/tmp\\n options'\\n set_fact:\\n mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''\\n }) }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - mount_info is defined and \\\"nodev\\\" not in mount_info.options\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_nodev\\n - no_reboot_needed\\n\\n- name: 'Add nodev Option to /var/tmp: Ensure /var/tmp is mounted with nodev option'\\n mount:\\n path: /var/tmp\\n src: '{{ mount_info.source }}'\\n opts: '{{ mount_info.options }}'\\n state: mounted\\n fstype: '{{ mount_info.fstype }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - (device_name.stdout is defined and (device_name.stdout | length > 0)) or (\\\"--fstab\\\"\\n | length == 0)\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_nodev\\n - no_reboot_needed\",\n \"id\": \"mount_option_var_tmp_nodev\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"high\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_var_tmp_nodev:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_var_tmp_nodev_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Themount option can be used to prevent device files from\nbeing created in. Legitimate character and block devices\nshould not exist within temporary directories like.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001764"
+ ],
+ "nist": [
+ "CM-7 (2)"
+ ],
+ "severity": "medium",
+ "description": "Themount option can be used to prevent binaries\nfrom being executed out of.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "group_id": "xccdf_org.ssgproject.content_group_partitions",
+ "group_title": "Restrict Partition Mount Options",
+ "group_description": "System partitions can be mounted with certain options\nthat limit what files on those partitions can do. These options\nare set in theconfiguration file, and can be\nused to make certain types of malicious behavior more difficult.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_var_tmp_noexec:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_var_tmp_noexec_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R12)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "CCI-001764",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000368-GPOS-00154",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.9",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R12)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "CCI-001764",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000368-GPOS-00154",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.9",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Add noexec Option to /var/tmp",
+ "id": "xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec",
+ "desc": "Themount option can be used to prevent binaries\nfrom being executed out of.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "descriptions": [
+ {
+ "data": "Allowing users to execute binaries from world-writable directories\nsuch asshould never be necessary in normal operation and\ncan expose the system to potential compromise.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Add noexec Option to /var/tmp\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"noexec\",\n \"/var/tmp\",\n \"noexec\",\n \"/etc/fstab\",\n \"/var/tmp\"\n ],\n \"text\": \"Themount option can be used to prevent binaries\\nfrom being executed out of.\\nAdd theoption to the fourth column offor the line which controls mounting of.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R12)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"CCI-001764\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000368-GPOS-00154\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.9\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"code\": \"/var/tmp\",\n \"text\": \"Allowing users to execute binaries from world-writable directories\\nsuch asshould never be necessary in normal operation and\\ncan expose the system to potential compromise.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine_and_partition-var-tmp\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel \\\"/var/tmp\\\" > /dev/null ); then\\n\\nfunction perform_remediation {\\n \\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" \\\"/var/tmp\\\")\\\"\\n\\n grep \\\"$mount_point_match_regexp\\\" -q /etc/fstab \\\\\\n || { echo \\\"The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options\\\" >&2;\\n echo \\\"Not remediating, because there is no record of /var/tmp in /etc/fstab\\\" >&2; return 1; }\\n \\n\\n\\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" /var/tmp)\\\"\\n\\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\\n if [ \\\"$(grep -c \\\"$mount_point_match_regexp\\\" /etc/fstab)\\\" -eq 0 ]; then\\n # runtime opts without some automatic kernel/userspace-added defaults\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/mtab | head -1 | awk '{print $4}' \\\\\\n | sed -E \\\"s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//\\\")\\n [ \\\"$previous_mount_opts\\\" ] && previous_mount_opts+=\\\",\\\"\\n echo \\\" /var/tmp defaults,${previous_mount_opts}noexec 0 0\\\" >> /etc/fstab\\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\\n elif [ \\\"$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | grep -c \\\"noexec\\\")\\\" -eq 0 ]; then\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | awk '{print $4}')\\n sed -i \\\"s|\\\\(${mount_point_match_regexp}.*${previous_mount_opts}\\\\)|\\\\1,noexec|\\\" /etc/fstab\\n fi\\n\\n\\n if mkdir -p \\\"/var/tmp\\\"; then\\n if mountpoint -q \\\"/var/tmp\\\"; then\\n mount -o remount --target \\\"/var/tmp\\\"\\n else\\n mount --target \\\"/var/tmp\\\"\\n fi\\n fi\\n}\\n\\nperform_remediation\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"mount_option_var_tmp_noexec\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: 'Add noexec Option to /var/tmp: Check information associated to mountpoint'\\n command: findmnt --fstab '/var/tmp'\\n register: device_name\\n failed_when: device_name.rc > 1\\n changed_when: false\\n when: ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\",\\n \\\"container\\\"] and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list\\n )\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_noexec\\n - no_reboot_needed\\n\\n- name: 'Add noexec Option to /var/tmp: Create mount_info dictionary variable'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - '{{ device_name.stdout_lines[0].split() | list | lower }}'\\n - '{{ device_name.stdout_lines[1].split() | list }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - device_name.stdout is defined and device_name.stdout_lines is defined\\n - (device_name.stdout | length > 0)\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_noexec\\n - no_reboot_needed\\n\\n- name: 'Add noexec Option to /var/tmp: If /var/tmp not mounted, craft mount_info\\n manually'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - - target\\n - source\\n - fstype\\n - options\\n - - /var/tmp\\n - ''\\n - ''\\n - defaults\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - (\\\"--fstab\\\" | length == 0)\\n - (device_name.stdout | length == 0)\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_noexec\\n - no_reboot_needed\\n\\n- name: 'Add noexec Option to /var/tmp: Make sure noexec option is part of the to\\n /var/tmp options'\\n set_fact:\\n mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''\\n }) }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - mount_info is defined and \\\"noexec\\\" not in mount_info.options\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_noexec\\n - no_reboot_needed\\n\\n- name: 'Add noexec Option to /var/tmp: Ensure /var/tmp is mounted with noexec option'\\n mount:\\n path: /var/tmp\\n src: '{{ mount_info.source }}'\\n opts: '{{ mount_info.options }}'\\n state: mounted\\n fstype: '{{ mount_info.fstype }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - (device_name.stdout is defined and (device_name.stdout | length > 0)) or (\\\"--fstab\\\"\\n | length == 0)\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_noexec\\n - no_reboot_needed\",\n \"id\": \"mount_option_var_tmp_noexec\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"high\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_var_tmp_noexec:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_var_tmp_noexec_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Themount option can be used to prevent binaries\nfrom being executed out of.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001764"
+ ],
+ "nist": [
+ "CM-7 (2)"
+ ],
+ "severity": "medium",
+ "description": "Themount option can be used to prevent\nexecution of setuid programs in. The SUID and SGID permissions\nshould not be required in these world-writable directories.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "group_id": "xccdf_org.ssgproject.content_group_partitions",
+ "group_title": "Restrict Partition Mount Options",
+ "group_description": "System partitions can be mounted with certain options\nthat limit what files on those partitions can do. These options\nare set in theconfiguration file, and can be\nused to make certain types of malicious behavior more difficult.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_var_tmp_nosuid:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_var_tmp_nosuid_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R12)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "CCI-001764",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000368-GPOS-00154",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "1.1.8",
+ "href": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R12)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "CCI-001764",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000368-GPOS-00154",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "1.1.8",
+ "url": "https://www.cisecurity.org/benchmark/ubuntu_linux/"
+ }
+ ],
+ "source_location": {},
+ "title": "Add nosuid Option to /var/tmp",
+ "id": "xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid",
+ "desc": "Themount option can be used to prevent\nexecution of setuid programs in. The SUID and SGID permissions\nshould not be required in these world-writable directories.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "descriptions": [
+ {
+ "data": "The presence of SUID and SGID executables should be tightly controlled. Users\nshould not be able to execute SUID or SGID binaries from temporary storage partitions.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Add nosuid Option to /var/tmp\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"nosuid\",\n \"/var/tmp\",\n \"nosuid\",\n \"/etc/fstab\",\n \"/var/tmp\"\n ],\n \"text\": \"Themount option can be used to prevent\\nexecution of setuid programs in. The SUID and SGID permissions\\nshould not be required in these world-writable directories.\\nAdd theoption to the fourth column offor the line which controls mounting of.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R12)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"CCI-001764\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000368-GPOS-00154\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"1.1.8\",\n \"href\": \"https://www.cisecurity.org/benchmark/ubuntu_linux/\"\n }\n ],\n \"rationale\": {\n \"text\": \"The presence of SUID and SGID executables should be tightly controlled. Users\\nshould not be able to execute SUID or SGID binaries from temporary storage partitions.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine_and_partition-var-tmp\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel \\\"/var/tmp\\\" > /dev/null ); then\\n\\nfunction perform_remediation {\\n \\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" \\\"/var/tmp\\\")\\\"\\n\\n grep \\\"$mount_point_match_regexp\\\" -q /etc/fstab \\\\\\n || { echo \\\"The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options\\\" >&2;\\n echo \\\"Not remediating, because there is no record of /var/tmp in /etc/fstab\\\" >&2; return 1; }\\n \\n\\n\\n mount_point_match_regexp=\\\"$(printf \\\"[[:space:]]%s[[:space:]]\\\" /var/tmp)\\\"\\n\\n # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab\\n if [ \\\"$(grep -c \\\"$mount_point_match_regexp\\\" /etc/fstab)\\\" -eq 0 ]; then\\n # runtime opts without some automatic kernel/userspace-added defaults\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/mtab | head -1 | awk '{print $4}' \\\\\\n | sed -E \\\"s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//\\\")\\n [ \\\"$previous_mount_opts\\\" ] && previous_mount_opts+=\\\",\\\"\\n echo \\\" /var/tmp defaults,${previous_mount_opts}nosuid 0 0\\\" >> /etc/fstab\\n # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it\\n elif [ \\\"$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | grep -c \\\"nosuid\\\")\\\" -eq 0 ]; then\\n previous_mount_opts=$(grep \\\"$mount_point_match_regexp\\\" /etc/fstab | awk '{print $4}')\\n sed -i \\\"s|\\\\(${mount_point_match_regexp}.*${previous_mount_opts}\\\\)|\\\\1,nosuid|\\\" /etc/fstab\\n fi\\n\\n\\n if mkdir -p \\\"/var/tmp\\\"; then\\n if mountpoint -q \\\"/var/tmp\\\"; then\\n mount -o remount --target \\\"/var/tmp\\\"\\n else\\n mount --target \\\"/var/tmp\\\"\\n fi\\n fi\\n}\\n\\nperform_remediation\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"mount_option_var_tmp_nosuid\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: 'Add nosuid Option to /var/tmp: Check information associated to mountpoint'\\n command: findmnt --fstab '/var/tmp'\\n register: device_name\\n failed_when: device_name.rc > 1\\n changed_when: false\\n when: ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\",\\n \\\"container\\\"] and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list\\n )\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_nosuid\\n - no_reboot_needed\\n\\n- name: 'Add nosuid Option to /var/tmp: Create mount_info dictionary variable'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - '{{ device_name.stdout_lines[0].split() | list | lower }}'\\n - '{{ device_name.stdout_lines[1].split() | list }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - device_name.stdout is defined and device_name.stdout_lines is defined\\n - (device_name.stdout | length > 0)\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_nosuid\\n - no_reboot_needed\\n\\n- name: 'Add nosuid Option to /var/tmp: If /var/tmp not mounted, craft mount_info\\n manually'\\n set_fact:\\n mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'\\n with_together:\\n - - target\\n - source\\n - fstype\\n - options\\n - - /var/tmp\\n - ''\\n - ''\\n - defaults\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - (\\\"--fstab\\\" | length == 0)\\n - (device_name.stdout | length == 0)\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_nosuid\\n - no_reboot_needed\\n\\n- name: 'Add nosuid Option to /var/tmp: Make sure nosuid option is part of the to\\n /var/tmp options'\\n set_fact:\\n mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''\\n }) }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - mount_info is defined and \\\"nosuid\\\" not in mount_info.options\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_nosuid\\n - no_reboot_needed\\n\\n- name: 'Add nosuid Option to /var/tmp: Ensure /var/tmp is mounted with nosuid option'\\n mount:\\n path: /var/tmp\\n src: '{{ mount_info.source }}'\\n opts: '{{ mount_info.options }}'\\n state: mounted\\n fstype: '{{ mount_info.fstype }}'\\n when:\\n - ( ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n and \\\"/var/tmp\\\" in ansible_mounts | map(attribute=\\\"mount\\\") | list )\\n - (device_name.stdout is defined and (device_name.stdout | length > 0)) or (\\\"--fstab\\\"\\n | length == 0)\\n tags:\\n - configure_strategy\\n - high_disruption\\n - low_complexity\\n - medium_severity\\n - mount_option_var_tmp_nosuid\\n - no_reboot_needed\",\n \"id\": \"mount_option_var_tmp_nosuid\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"high\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-mount_option_var_tmp_nosuid:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-mount_option_var_tmp_nosuid_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Themount option can be used to prevent\nexecution of setuid programs in. The SUID and SGID permissions\nshould not be required in these world-writable directories.\nAdd theoption to the fourth column offor the line which controls mounting of.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6"
+ ],
+ "severity": "medium",
+ "description": "Theoption insection\nofspecifies the maximum size in bytes of a core which will be processed.\nCore dumps exceeding this size may be stored, but the backtrace will not\nbe generated.",
+ "group_id": "xccdf_org.ssgproject.content_group_coredumps",
+ "group_title": "Disable Core Dumps",
+ "group_description": "A core dump file is the memory image of an executable\nprogram when it was terminated by the operating system due to\nerrant behavior. In most cases, only software developers\nlegitimately need to access these files. The core dump files may\nalso contain sensitive information, or unnecessarily occupy large\namounts of disk space.Once a hard limit is set in, or\nto a file within thedirectory, a\nuser cannot increase that limit within his or her own session. If access\nto core dumps is required, consider restricting them to only\ncertain users or groups. See theman page for more\ninformation.The core dumps of setuid programs are further protected. Thevariablecontrols whether\nthe kernel allows core dumps from these programs at all. The default\nvalue of 0 is recommended.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_coredump_disable_backtraces",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-coredump_disable_backtraces:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-coredump_disable_backtraces_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CM-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "FMT_SMF_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "fail",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-coredump_disable_backtraces:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_coredump_disable_backtraces",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CM-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "FMT_SMF_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable core dump backtraces",
+ "id": "xccdf_org.ssgproject.content_rule_coredump_disable_backtraces",
+ "desc": "Theoption insection\nofspecifies the maximum size in bytes of a core which will be processed.\nCore dumps exceeding this size may be stored, but the backtrace will not\nbe generated.",
+ "descriptions": [
+ {
+ "data": "A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data\nand is generally useful only for developers or system operators trying to\ndebug problems.\n\nEnabling core dumps on production systems is not recommended,\nhowever there may be overriding operational requirements to enable advanced\ndebuging. Permitting temporary enablement of core dumps during such situations\nshould be reviewed through local needs and policy.",
+ "label": "rationale"
+ },
+ {
+ "data": "If thefile\ndoes not already contain thesection,\nthe value will not be configured correctly.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable core dump backtraces\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"ProcessSizeMax\",\n \"[Coredump]\",\n \"/etc/systemd/coredump.conf\"\n ],\n \"text\": \"Theoption insection\\nofspecifies the maximum size in bytes of a core which will be processed.\\nCore dumps exceeding this size may be stored, but the backtrace will not\\nbe generated.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"code\": [\n \"/etc/systemd/coredump.conf\",\n \"[Coredump]\"\n ],\n \"text\": \"If thefile\\ndoes not already contain thesection,\\nthe value will not be configured correctly.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CM-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"FMT_SMF_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"A core dump includes a memory image taken at the time the operating system\\nterminates an application. The memory image could contain sensitive data\\nand is generally useful only for developers or system operators trying to\\ndebug problems.\\n\\nEnabling core dumps on production systems is not recommended,\\nhowever there may be overriding operational requirements to enable advanced\\ndebuging. Permitting temporary enablement of core dumps during such situations\\nshould be reviewed through local needs and policy.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"if [ -e \\\"/etc/systemd/coredump.conf\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*ProcessSizeMax\\\\s*=\\\\s*/Id\\\" \\\"/etc/systemd/coredump.conf\\\"\\nelse\\n touch \\\"/etc/systemd/coredump.conf\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/systemd/coredump.conf\\\"\\n\\ncp \\\"/etc/systemd/coredump.conf\\\" \\\"/etc/systemd/coredump.conf.bak\\\"\\n# Insert at the end of the file\\nprintf '%s\\\\n' \\\"ProcessSizeMax=0\\\" >> \\\"/etc/systemd/coredump.conf\\\"\\n# Clean up after ourselves.\\nrm \\\"/etc/systemd/coredump.conf.bak\\\"\",\n \"id\": \"coredump_disable_backtraces\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Disable core dump backtraces\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/systemd/coredump.conf\\n create: false\\n regexp: ^\\\\s*ProcessSizeMax\\\\s*=\\\\s*\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/systemd/coredump.conf\\n lineinfile:\\n path: /etc/systemd/coredump.conf\\n create: false\\n regexp: ^\\\\s*ProcessSizeMax\\\\s*=\\\\s*\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/systemd/coredump.conf\\n lineinfile:\\n path: /etc/systemd/coredump.conf\\n create: false\\n regexp: ^\\\\s*ProcessSizeMax\\\\s*=\\\\s*\\n line: ProcessSizeMax=0\\n state: present\\n tags:\\n - NIST-800-53-CM-6\\n - coredump_disable_backtraces\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"coredump_disable_backtraces\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-coredump_disable_backtraces:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-coredump_disable_backtraces_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_coredump_disable_backtraces\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "failed",
+ "code_desc": "Theoption insection\nofspecifies the maximum size in bytes of a core which will be processed.\nCore dumps exceeding this size may be stored, but the backtrace will not\nbe generated.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6"
+ ],
+ "severity": "medium",
+ "description": "Theoption insection\nofcan be set toto disable storing core dumps permanently.",
+ "group_id": "xccdf_org.ssgproject.content_group_coredumps",
+ "group_title": "Disable Core Dumps",
+ "group_description": "A core dump file is the memory image of an executable\nprogram when it was terminated by the operating system due to\nerrant behavior. In most cases, only software developers\nlegitimately need to access these files. The core dump files may\nalso contain sensitive information, or unnecessarily occupy large\namounts of disk space.Once a hard limit is set in, or\nto a file within thedirectory, a\nuser cannot increase that limit within his or her own session. If access\nto core dumps is required, consider restricting them to only\ncertain users or groups. See theman page for more\ninformation.The core dumps of setuid programs are further protected. Thevariablecontrols whether\nthe kernel allows core dumps from these programs at all. The default\nvalue of 0 is recommended.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_coredump_disable_storage",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-coredump_disable_storage:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-coredump_disable_storage_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CM-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "FMT_SMF_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "fail",
+ "check": {
+ "check-content-ref": {
+ "name": "oval:ssg-coredump_disable_storage:def:1",
+ "href": "ssg-ubuntu1804-oval.xml"
+ },
+ "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ },
+ "idref": "xccdf_org.ssgproject.content_rule_coredump_disable_storage",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CM-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "FMT_SMF_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable storing core dump",
+ "id": "xccdf_org.ssgproject.content_rule_coredump_disable_storage",
+ "desc": "Theoption insection\nofcan be set toto disable storing core dumps permanently.",
+ "descriptions": [
+ {
+ "data": "A core dump includes a memory image taken at the time the operating system\nterminates an application. The memory image could contain sensitive data\nand is generally useful only for developers or system operators trying to\ndebug problems. Enabling core dumps on production systems is not recommended,\nhowever there may be overriding operational requirements to enable advanced\ndebuging. Permitting temporary enablement of core dumps during such situations\nshould be reviewed through local needs and policy.",
+ "label": "rationale"
+ },
+ {
+ "data": "If thefile\ndoes not already contain thesection,\nthe value will not be configured correctly.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable storing core dump\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"Storage\",\n \"[Coredump]\",\n \"/etc/systemd/coredump.conf\",\n \"none\"\n ],\n \"text\": \"Theoption insection\\nofcan be set toto disable storing core dumps permanently.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"code\": [\n \"/etc/systemd/coredump.conf\",\n \"[Coredump]\"\n ],\n \"text\": \"If thefile\\ndoes not already contain thesection,\\nthe value will not be configured correctly.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CM-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"FMT_SMF_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"A core dump includes a memory image taken at the time the operating system\\nterminates an application. The memory image could contain sensitive data\\nand is generally useful only for developers or system operators trying to\\ndebug problems. Enabling core dumps on production systems is not recommended,\\nhowever there may be overriding operational requirements to enable advanced\\ndebuging. Permitting temporary enablement of core dumps during such situations\\nshould be reviewed through local needs and policy.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"if [ -e \\\"/etc/systemd/coredump.conf\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*Storage\\\\s*=\\\\s*/Id\\\" \\\"/etc/systemd/coredump.conf\\\"\\nelse\\n touch \\\"/etc/systemd/coredump.conf\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/systemd/coredump.conf\\\"\\n\\ncp \\\"/etc/systemd/coredump.conf\\\" \\\"/etc/systemd/coredump.conf.bak\\\"\\n# Insert at the end of the file\\nprintf '%s\\\\n' \\\"Storage=none\\\" >> \\\"/etc/systemd/coredump.conf\\\"\\n# Clean up after ourselves.\\nrm \\\"/etc/systemd/coredump.conf.bak\\\"\",\n \"id\": \"coredump_disable_storage\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Disable storing core dump\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/systemd/coredump.conf\\n create: false\\n regexp: ^\\\\s*Storage\\\\s*=\\\\s*\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/systemd/coredump.conf\\n lineinfile:\\n path: /etc/systemd/coredump.conf\\n create: false\\n regexp: ^\\\\s*Storage\\\\s*=\\\\s*\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/systemd/coredump.conf\\n lineinfile:\\n path: /etc/systemd/coredump.conf\\n create: false\\n regexp: ^\\\\s*Storage\\\\s*=\\\\s*\\n line: Storage=none\\n state: present\\n tags:\\n - NIST-800-53-CM-6\\n - coredump_disable_storage\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"coredump_disable_storage\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-coredump_disable_storage:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-coredump_disable_storage_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_coredump_disable_storage\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "failed",
+ "code_desc": "Theoption insection\nofcan be set toto disable storing core dumps permanently.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "SI-11 a.",
+ "SI-11 b."
+ ],
+ "severity": "medium",
+ "description": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "group_id": "xccdf_org.ssgproject.content_group_coredumps",
+ "group_title": "Disable Core Dumps",
+ "group_description": "A core dump file is the memory image of an executable\nprogram when it was terminated by the operating system due to\nerrant behavior. In most cases, only software developers\nlegitimately need to access these files. The core dump files may\nalso contain sensitive information, or unnecessarily occupy large\namounts of disk space.Once a hard limit is set in, or\nto a file within thedirectory, a\nuser cannot increase that limit within his or her own session. If access\nto core dumps is required, consider restricting them to only\ncertain users or groups. See theman page for more\ninformation.The core dumps of setuid programs are further protected. Thevariablecontrols whether\nthe kernel allows core dumps from these programs at all. The default\nvalue of 0 is recommended.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_fs_suid_dumpable:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_fs_suid_dumpable_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R23)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(4)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(c)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "SI-11(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SI-11(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R23)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(4)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(c)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "SI-11(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SI-11(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable Core Dumps for SUID programs",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable",
+ "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "descriptions": [
+ {
+ "data": "The core dump of a setuid program is more likely to contain\nsensitive data, as the program itself runs with greater privileges than the\nuser who initiated execution of the program. Disabling the ability for any\nsetuid program to write a core file decreases the risk of unauthorized access\nof such data.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Core Dumps for SUID programs\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"fs.suid_dumpable\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": [\n \"$ sudo sysctl -w fs.suid_dumpable=0\",\n \"fs.suid_dumpable = 0\"\n ],\n \"text\": \"To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R23)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(4)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(c)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"SI-11(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SI-11(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"The core dump of a setuid program is more likely to contain\\nsensitive data, as the program itself runs with greater privileges than the\\nuser who initiated execution of the program. Disabling the ability for any\\nsetuid program to write a core file decreases the risk of unauthorized access\\nof such data.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of fs.suid_dumpable from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*fs.suid_dumpable.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"fs.suid_dumpable\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\n\\n#\\n# Set runtime for fs.suid_dumpable\\n#\\n/sbin/sysctl -q -n -w fs.suid_dumpable=\\\"0\\\"\\n\\n#\\n# If fs.suid_dumpable present in /etc/sysctl.conf, change value to \\\"0\\\"\\n#\\telse, add \\\"fs.suid_dumpable = 0\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^fs.suid_dumpable\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"0\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^fs.suid_dumpable\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^fs.suid_dumpable\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_fs_suid_dumpable\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*fs.suid_dumpable.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-SI-11(a)\\n - NIST-800-53-SI-11(b)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_fs_suid_dumpable\\n\\n- name: Comment out any occurrences of fs.suid_dumpable from config files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*fs.suid_dumpable\\n replace: '#fs.suid_dumpable'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-SI-11(a)\\n - NIST-800-53-SI-11(b)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_fs_suid_dumpable\\n\\n- name: Ensure sysctl fs.suid_dumpable is set to 0\\n sysctl:\\n name: fs.suid_dumpable\\n value: '0'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-SI-11(a)\\n - NIST-800-53-SI-11(b)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_fs_suid_dumpable\",\n \"id\": \"sysctl_fs_suid_dumpable\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_fs_suid_dumpable:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_fs_suid_dumpable_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002824",
+ "CCI-000366"
+ ],
+ "nist": [
+ "SI-16",
+ "CM-6 b",
+ "SC-30",
+ "SC-30 (2)",
+ "SC-30 (5)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "group_id": "xccdf_org.ssgproject.content_group_enable_execshield_settings",
+ "group_title": "Enable ExecShield",
+ "group_description": "ExecShield describes kernel features that provide\nprotection against exploitation of memory corruption errors such as buffer\noverflows. These features include random placement of the stack and other\nmemory regions, prevention of execution in memory that should only hold data,\nand special handling of text buffers. These protections are enabled by default\non 32-bit systems and controlled throughvariablesand. On the latest\n64-bit systems,cannot be enabled or disabled with.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sysctl_kernel_kptr_restrict_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_kernel_kptr_restrict:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_kernel_kptr_restrict_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R23)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "CCI-002824",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CIP-002-5 R1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-002-5 R1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 4.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 4.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.4",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R4",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-005-6 R1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-005-6 R1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-005-6 R1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R8.4",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-009-6 R.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-009-6 R4",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "SC-30",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-30(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-30(5)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000132-GPOS-00067",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000433-GPOS-00192",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "kernel.kptr_restrict",
+ "lang": "en-US"
+ },
+ "description": "Configure exposition of kernel pointer addresses",
+ "value": [
+ "1",
+ {
+ "text": "1",
+ "selector": "1"
+ },
+ {
+ "text": "2",
+ "selector": "2"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value",
+ "type": "number"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "BP28(R23)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "CCI-002824",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CIP-002-5 R1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-002-5 R1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 4.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 4.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.4",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R4",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-005-6 R1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-005-6 R1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-005-6 R1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R8.4",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-009-6 R.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-009-6 R4",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "SC-30",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-30(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-30(5)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000132-GPOS-00067",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000433-GPOS-00192",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Restrict Exposed Kernel Pointer Addresses Access",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict",
+ "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "descriptions": [
+ {
+ "data": "Exposing kernel pointers (through procfs or) exposes kernel\nwriteable structures which may contain functions pointers. If a write vulnerability\noccurs in the kernel, allowing write access to any of this structure, the kernel can\nbe compromised. This option disallow any program without the CAP_SYSLOG capability\nto get the addresses of kernel pointers by replacing them with 0.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Restrict Exposed Kernel Pointer Addresses Access\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"kernel.kptr_restrict\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"$ sudo sysctl -w kernel.kptr_restrict=\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"kernel.kptr_restrict =\"\n }\n ],\n \"text\": \"To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R23)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"CCI-002824\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CIP-002-5 R1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-002-5 R1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 4.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 4.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.4\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R4\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-005-6 R1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-005-6 R1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-005-6 R1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R8.4\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-009-6 R.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-009-6 R4\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"SC-30\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-30(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-30(5)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000132-GPOS-00067\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000433-GPOS-00192\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"seq_printf()\",\n \"text\": \"Exposing kernel pointers (through procfs or) exposes kernel\\nwriteable structures which may contain functions pointers. If a write vulnerability\\noccurs in the kernel, allowing write access to any of this structure, the kernel can\\nbe compromised. This option disallow any program without the CAP_SYSLOG capability\\nto get the addresses of kernel pointers by replacing them with 0.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*kernel.kptr_restrict.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"kernel.kptr_restrict\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\nsysctl_kernel_kptr_restrict_value=''\\n\\n\\n#\\n# Set runtime for kernel.kptr_restrict\\n#\\n/sbin/sysctl -q -n -w kernel.kptr_restrict=\\\"$sysctl_kernel_kptr_restrict_value\\\"\\n\\n#\\n# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value\\n#\\telse, add \\\"kernel.kptr_restrict = value\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^kernel.kptr_restrict\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"$sysctl_kernel_kptr_restrict_value\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^kernel.kptr_restrict\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^kernel.kptr_restrict\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_kernel_kptr_restrict\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*kernel.kptr_restrict.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-SC-30\\n - NIST-800-53-SC-30(2)\\n - NIST-800-53-SC-30(5)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_kernel_kptr_restrict\\n\\n- name: Comment out any occurrences of kernel.kptr_restrict from config files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*kernel.kptr_restrict\\n replace: '#kernel.kptr_restrict'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-SC-30\\n - NIST-800-53-SC-30(2)\\n - NIST-800-53-SC-30(5)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_kernel_kptr_restrict\\n- name: XCCDF Value sysctl_kernel_kptr_restrict_value # promote to variable\\n set_fact:\\n sysctl_kernel_kptr_restrict_value: !!strtags:\\n - always\\n\\n- name: Ensure sysctl kernel.kptr_restrict is set\\n sysctl:\\n name: kernel.kptr_restrict\\n value: '{{ sysctl_kernel_kptr_restrict_value }}'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-SC-30\\n - NIST-800-53-SC-30(2)\\n - NIST-800-53-SC-30(5)\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_kernel_kptr_restrict\",\n \"id\": \"sysctl_kernel_kptr_restrict\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sysctl_kernel_kptr_restrict_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_kernel_kptr_restrict:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_kernel_kptr_restrict_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366",
+ "CCI-002824"
+ ],
+ "nist": [
+ "CM-6 b",
+ "SI-16",
+ "SC-30",
+ "SC-30 (2)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "group_id": "xccdf_org.ssgproject.content_group_enable_execshield_settings",
+ "group_title": "Enable ExecShield",
+ "group_description": "ExecShield describes kernel features that provide\nprotection against exploitation of memory corruption errors such as buffer\noverflows. These features include random placement of the stack and other\nmemory regions, prevention of execution in memory that should only hold data,\nand special handling of text buffers. These protections are enabled by default\non 32-bit systems and controlled throughvariablesand. On the latest\n64-bit systems,cannot be enabled or disabled with.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_kernel_randomize_va_space:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_kernel_randomize_va_space_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R23)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "3.1.7",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002824",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(4)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(c)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "CIP-002-5 R1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-002-5 R1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 4.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 4.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.4",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R4",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-005-6 R1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-005-6 R1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-005-6 R1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R8.4",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-009-6 R.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-009-6 R4",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "SC-30",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-30(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "Req-2.2.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000433-GPOS-00193",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R23)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "3.1.7",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002824",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(4)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(c)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "CIP-002-5 R1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-002-5 R1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 4.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 4.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.4",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R4",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-005-6 R1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-005-6 R1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-005-6 R1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R8.4",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-009-6 R.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-009-6 R4",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "SC-30",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-30(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "Req-2.2.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000433-GPOS-00193",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable Randomized Layout of Virtual Address Space",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space",
+ "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "descriptions": [
+ {
+ "data": "Address space layout randomization (ASLR) makes it more difficult for an\nattacker to predict the location of attack code they have introduced into a\nprocess's address space during an attempt at exploitation. Additionally,\nASLR makes it more difficult for an attacker to know the location of\nexisting code in order to re-purpose it using return oriented programming\n(ROP) techniques.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Enable Randomized Layout of Virtual Address Space\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"kernel.randomize_va_space\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": [\n \"$ sudo sysctl -w kernel.randomize_va_space=2\",\n \"kernel.randomize_va_space = 2\"\n ],\n \"text\": \"To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R23)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"3.1.7\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002824\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(4)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(c)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"CIP-002-5 R1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-002-5 R1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 4.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 4.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.4\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R4\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-005-6 R1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-005-6 R1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-005-6 R1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R8.4\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-009-6 R.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-009-6 R4\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"SC-30\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-30(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"Req-2.2.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000433-GPOS-00193\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Address space layout randomization (ASLR) makes it more difficult for an\\nattacker to predict the location of attack code they have introduced into a\\nprocess's address space during an attempt at exploitation. Additionally,\\nASLR makes it more difficult for an attacker to know the location of\\nexisting code in order to re-purpose it using return oriented programming\\n(ROP) techniques.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*kernel.randomize_va_space.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"kernel.randomize_va_space\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\n\\n#\\n# Set runtime for kernel.randomize_va_space\\n#\\n/sbin/sysctl -q -n -w kernel.randomize_va_space=\\\"2\\\"\\n\\n#\\n# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to \\\"2\\\"\\n#\\telse, add \\\"kernel.randomize_va_space = 2\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^kernel.randomize_va_space\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"2\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^kernel.randomize_va_space\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^kernel.randomize_va_space\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_kernel_randomize_va_space\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*kernel.randomize_va_space.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-SC-30\\n - NIST-800-53-SC-30(2)\\n - PCI-DSS-Req-2.2.1\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_kernel_randomize_va_space\\n\\n- name: Comment out any occurrences of kernel.randomize_va_space from config files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*kernel.randomize_va_space\\n replace: '#kernel.randomize_va_space'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-SC-30\\n - NIST-800-53-SC-30(2)\\n - PCI-DSS-Req-2.2.1\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_kernel_randomize_va_space\\n\\n- name: Ensure sysctl kernel.randomize_va_space is set to 2\\n sysctl:\\n name: kernel.randomize_va_space\\n value: '2'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.7\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-SC-30\\n - NIST-800-53-SC-30(2)\\n - PCI-DSS-Req-2.2.1\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_kernel_randomize_va_space\",\n \"id\": \"sysctl_kernel_randomize_va_space\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_kernel_randomize_va_space:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_kernel_randomize_va_space_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000381"
+ ],
+ "nist": [
+ "CM-7 a",
+ "CM-7 a.",
+ "CM-7 (5) b."
+ ],
+ "severity": "medium",
+ "description": "If the device contains a camera it should be covered or disabled when not in use.",
+ "group_id": "xccdf_org.ssgproject.content_group_restrictions",
+ "group_title": "Restrict Programs from Dangerous Execution Patterns",
+ "group_description": "The recommendations in this section are designed to\nensure that the system's features to protect against potentially\ndangerous program execution are activated.\nThese protections are applied at the system initialization or\nkernel level, and defend against certain types of badly-configured\nor compromised programs.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_uvcvideo_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_module_uvcvideo_disabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000381",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CM-7 (a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7 (5) (b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000095-GPOS-00049",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000370-GPOS-00155",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000381",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CM-7 (a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7 (5) (b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000095-GPOS-00049",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000370-GPOS-00155",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable the uvcvideo module",
+ "id": "xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled",
+ "desc": "If the device contains a camera it should be covered or disabled when not in use.",
+ "descriptions": [
+ {
+ "data": "Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information.\nProviding easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable the uvcvideo module\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"If the device contains a camera it should be covered or disabled when not in use.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000381\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CM-7 (a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7 (5) (b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000095-GPOS-00049\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000370-GPOS-00155\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information.\\nProviding easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif LC_ALL=C grep -q -m 1 \\\"^install uvcvideo\\\" /etc/modprobe.d/uvcvideo.conf ; then\\n\\t\\n\\tsed -i 's#^install uvcvideo.*#install uvcvideo /bin/true#g' /etc/modprobe.d/uvcvideo.conf\\nelse\\n\\techo -e \\\"\\\\n# Disable per security requirements\\\" >> /etc/modprobe.d/uvcvideo.conf\\n\\techo \\\"install uvcvideo /bin/true\\\" >> /etc/modprobe.d/uvcvideo.conf\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"kernel_module_uvcvideo_disabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure kernel module 'uvcvideo' is disabled\\n lineinfile:\\n create: true\\n dest: /etc/modprobe.d/uvcvideo.conf\\n regexp: uvcvideo\\n line: install uvcvideo /bin/true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-7 (5) (b)\\n - NIST-800-53-CM-7 (a)\\n - disable_strategy\\n - kernel_module_uvcvideo_disabled\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\",\n \"id\": \"kernel_module_uvcvideo_disabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-kernel_module_uvcvideo_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-kernel_module_uvcvideo_disabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If the device contains a camera it should be covered or disabled when not in use.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "group_id": "xccdf_org.ssgproject.content_group_restrictions",
+ "group_title": "Restrict Programs from Dangerous Execution Patterns",
+ "group_description": "The recommendations in this section are designed to\nensure that the system's features to protect against potentially\ndangerous program execution are activated.\nThese protections are applied at the system initialization or\nkernel level, and defend against certain types of badly-configured\nor compromised programs.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sysctl_kernel_panic_on_oops",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_kernel_panic_on_oops:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_kernel_panic_on_oops_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sysctl_kernel_panic_on_oops",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Kernel panic on oops",
+ "id": "xccdf_org.ssgproject.content_rule_sysctl_kernel_panic_on_oops",
+ "desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "descriptions": [
+ {
+ "data": "An attacker trying to exploit the kernel may trigger kernel OOPSes,\npanicking the system will impede them from continuing.",
+ "label": "rationale"
+ },
+ {
+ "data": "The system may start to panic when it normally wouldn't. A non-catastrophic error that\nwould have allowed the system to continue operating will now result in a panic.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Kernel panic on oops\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"kernel.panic_on_oops\",\n \"/etc/sysctl.d\"\n ],\n \"pre\": [\n \"$ sudo sysctl -w kernel.panic_on_oops=1\",\n \"kernel.panic_on_oops = 1\"\n ],\n \"text\": \"To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"The system may start to panic when it normally wouldn't. A non-catastrophic error that\\nwould have allowed the system to continue operating will now result in a panic.\",\n \"lang\": \"en-US\",\n \"category\": \"functionality\"\n },\n \"rationale\": {\n \"text\": \"An attacker trying to exploit the kernel may trigger kernel OOPSes,\\npanicking the system will impede them from continuing.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# Comment out any occurrences of kernel.panic_on_oops from /etc/sysctl.d/*.conf files\\n\\nfor f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do\\n\\n matching_list=$(grep -P '^(?!#).*[\\\\s]*kernel.panic_on_oops.*$' $f | uniq )\\n if ! test -z \\\"$matching_list\\\"; then\\n while IFS= read -r entry; do\\n escaped_entry=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$entry\\\")\\n # comment out \\\"kernel.panic_on_oops\\\" matches to preserve user data\\n sed -i \\\"s/^${escaped_entry}$/# &/g\\\" $f\\n done <<< \\\"$matching_list\\\"\\n fi\\ndone\\n\\n#\\n# Set runtime for kernel.panic_on_oops\\n#\\n/sbin/sysctl -q -n -w kernel.panic_on_oops=\\\"1\\\"\\n\\n#\\n# If kernel.panic_on_oops present in /etc/sysctl.conf, change value to \\\"1\\\"\\n#\\telse, add \\\"kernel.panic_on_oops = 1\\\" to /etc/sysctl.conf\\n#\\n# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.\\n# Otherwise, regular sed command will do.\\nsed_command=('sed' '-i')\\nif test -L \\\"/etc/sysctl.conf\\\"; then\\n sed_command+=('--follow-symlinks')\\nfi\\n\\n# Strip any search characters in the key arg so that the key can be replaced without\\n# adding any search characters to the config file.\\nstripped_key=$(sed 's/[\\\\^=\\\\$,;+]*//g' <<< \\\"^kernel.panic_on_oops\\\")\\n\\n# shellcheck disable=SC2059\\nprintf -v formatted_output \\\"%s = %s\\\" \\\"$stripped_key\\\" \\\"1\\\"\\n\\n# If the key exists, change it. Otherwise, add it to the config_file.\\n# We search for the key string followed by a word boundary (matched by \\\\>),\\n# so if we search for 'setting', 'setting2' won't match.\\nif LC_ALL=C grep -q -m 1 -i -e \\\"^kernel.panic_on_oops\\\\\\\\>\\\" \\\"/etc/sysctl.conf\\\"; then\\n escaped_formatted_output=$(sed -e 's|/|\\\\\\\\/|g' <<< \\\"$formatted_output\\\")\\n \\\"${sed_command[@]}\\\" \\\"s/^kernel.panic_on_oops\\\\\\\\>.*/$escaped_formatted_output/gi\\\" \\\"/etc/sysctl.conf\\\"\\nelse\\n # \\\\n is precaution for case where file ends without trailing newline\\n \\n printf '%s\\\\n' \\\"$formatted_output\\\" >> \\\"/etc/sysctl.conf\\\"\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sysctl_kernel_panic_on_oops\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: List /etc/sysctl.d/*.conf files\\n find:\\n paths:\\n - /etc/sysctl.d/\\n - /run/sysctl.d/\\n - /usr/local/lib/sysctl.d/\\n - /usr/lib/sysctl.d/\\n contains: ^[\\\\s]*kernel.panic_on_oops.*$\\n patterns: '*.conf'\\n file_type: any\\n register: find_sysctl_d\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_kernel_panic_on_oops\\n\\n- name: Comment out any occurrences of kernel.panic_on_oops from config files\\n replace:\\n path: '{{ item.path }}'\\n regexp: ^[\\\\s]*kernel.panic_on_oops\\n replace: '#kernel.panic_on_oops'\\n loop: '{{ find_sysctl_d.files }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_kernel_panic_on_oops\\n\\n- name: Ensure sysctl kernel.panic_on_oops is set to 1\\n sysctl:\\n name: kernel.panic_on_oops\\n value: '1'\\n state: present\\n reload: true\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - medium_disruption\\n - medium_severity\\n - reboot_required\\n - sysctl_kernel_panic_on_oops\",\n \"id\": \"sysctl_kernel_panic_on_oops\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sysctl_kernel_panic_on_oops:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sysctl_kernel_panic_on_oops_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sysctl_kernel_panic_on_oops\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To set the runtime status of thekernel parameter, run the following command:To make sure that the setting is persistent, add the following line to a file in the directory:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001084",
+ "CCI-002165",
+ "CCI-002696"
+ ],
+ "nist": [
+ "SC-3",
+ "AC-3 (4)",
+ "SI-6 a",
+ "AC-3",
+ "AC-3 (3) a.",
+ "AU-9",
+ "SC-7 (21)"
+ ],
+ "severity": "high",
+ "description": "The SELinux state should be set toat\nsystem boot time. In the file, add or correct the\nfollowing line to configure the system to boot into enforcing mode:",
+ "group_id": "xccdf_org.ssgproject.content_group_selinux",
+ "group_title": "SELinux",
+ "group_description": "SELinux is a feature of the Linux kernel which can be\nused to guard against misconfigured or compromised programs.\nSELinux enforces the idea that programs should be limited in what\nfiles they can access and what actions they can take.The default SELinux policy, as configured on Ubuntu 18.04, has been\nsufficiently developed and debugged that it should be usable on\nalmost any system with minimal configuration and a small\namount of system administrator training. This policy prevents\nsystem services - including most of the common network-visible\nservices such as mail servers, FTP servers, and DNS servers - from\naccessing files which those services have no valid reason to\naccess. This action alone prevents a huge amount of possible damage\nfrom network attacks against services, from trojaned software, and\nso forth.This guide recommends that SELinux be enabled using the\ndefault (targeted) policy on every Ubuntu 18.04 system, unless that\nsystem has unusual requirements which make a stronger policy\nappropriate.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_selinux_state",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_selinux_state:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_selinux_state\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-selinux_state:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-selinux_state_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R4)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "BP28(R66)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.2",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.7.2",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-001084",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002165",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002696",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(1)(ii)(D)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(a)(4)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(c)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(a)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.2.3.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R6.5",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-3",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-3(3)(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-9",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-7(21)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "ID.AM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000445-GPOS-00199",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000134-GPOS-00068",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000445-VMM-001780",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_selinux_state",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "SELinux state",
+ "lang": "en-US"
+ },
+ "description": "enforcing - SELinux security policy is enforced.permissive - SELinux prints warnings instead of enforcing.disabled - SELinux is fully disabled.",
+ "value": [
+ "enforcing",
+ {
+ "text": "disabled",
+ "selector": "disabled"
+ },
+ {
+ "text": "enforcing",
+ "selector": "enforcing"
+ },
+ {
+ "text": "permissive",
+ "selector": "permissive"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_selinux_state",
+ "type": "string"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "BP28(R4)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "BP28(R66)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.2",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.7.2",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-001084",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002165",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002696",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(1)(ii)(D)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(a)(4)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(c)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(a)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.2.3.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R6.5",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-3",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-3(3)(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-9",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-7(21)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "ID.AM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000445-GPOS-00199",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000134-GPOS-00068",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000445-VMM-001780"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure SELinux State is Enforcing",
+ "id": "xccdf_org.ssgproject.content_rule_selinux_state",
+ "desc": "The SELinux state should be set toat\nsystem boot time. In the file, add or correct the\nfollowing line to configure the system to boot into enforcing mode:",
+ "descriptions": [
+ {
+ "data": "Setting the SELinux state to enforcing ensures SELinux is able to confine\npotentially compromised processes to the security policy, which is designed to\nprevent them from causing damage to the system or further elevating their\nprivileges.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure SELinux State is Enforcing\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinux_state\",\n \"use\": \"legacy\"\n }\n },\n \"/etc/selinux/config\"\n ],\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_selinux_state\",\n \"use\": \"legacy\"\n },\n \"text\": \"SELINUX=\"\n },\n \"text\": \"The SELinux state should be set toat\\nsystem boot time. In the file, add or correct the\\nfollowing line to configure the system to boot into enforcing mode:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R4)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"BP28(R66)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.2\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.7.2\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-001084\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002165\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002696\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(1)(ii)(D)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(a)(4)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(c)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(a)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.2.3.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R6.5\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-3\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-3(3)(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-9\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-7(21)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"ID.AM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000445-GPOS-00199\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000134-GPOS-00068\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000445-VMM-001780\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Setting the SELinux state to enforcing ensures SELinux is able to confine\\npotentially compromised processes to the security policy, which is designed to\\nprevent them from causing damage to the system or further elevating their\\nprivileges.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_selinux_state:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_selinux_state\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-selinux_state:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-selinux_state_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_selinux_state\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The SELinux state should be set toat\nsystem boot time. In the file, add or correct the\nfollowing line to configure the system to boot into enforcing mode:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "unknown",
+ "description": "Unauthenticated repositories should not be used for updates.",
+ "group_id": "xccdf_org.ssgproject.content_group_apt",
+ "group_title": "APT service configuration",
+ "group_description": "The apt service manage the package management and update of the whole system. Its configuration need to be properly defined to ensure efficient security updates, packages and repository authentication and proper lifecycle management.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-apt_conf_disallow_unauthenticated:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "BP28(R15)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/",
+ "ref": [
+ {
+ "text": "BP28(R15)"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "Disable unauthenticated repositories in APT configuration",
+ "id": "xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated",
+ "desc": "Unauthenticated repositories should not be used for updates.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-apt_conf_disallow_unauthenticated:def:1",
+ "label": "check"
+ },
+ {
+ "data": "Repositories hosts all packages that will be intsalled on the system during update.\n If a repository is not authenticated, the associated packages can't be trusted,\n and then should not be installed localy.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable unauthenticated repositories in APT configuration\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"Unauthenticated repositories should not be used for updates.\",\n \"lang\": \"en-US\"\n },\n \"reference\": {\n \"text\": \"BP28(R15)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n \"rationale\": {\n \"text\": \"Repositories hosts all packages that will be intsalled on the system during update.\\n If a repository is not authenticated, the associated packages can't be trusted,\\n and then should not be installed localy.\",\n \"lang\": \"en-US\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-apt_conf_disallow_unauthenticated:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Unauthenticated repositories should not be used for updates.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "low",
+ "description": "To prevent Avahi from publishing its records, editand ensure the following line appears in thesection:",
+ "group_id": "xccdf_org.ssgproject.content_group_avahi_configuration",
+ "group_title": "Configure Avahi if Necessary",
+ "group_description": "If your system requires the Avahi daemon, its configuration can be restricted\nto improve security. The Avahi daemon configuration file is. The following security recommendations\nshould be applied to this file:\nSee theman page, or documentation at, for more detailed information\nabout the configuration options.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_avahi_disable_publishing",
+ "check": "\"\"",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_avahi_disable_publishing",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable Avahi Publishing",
+ "id": "xccdf_org.ssgproject.content_rule_avahi_disable_publishing",
+ "desc": "To prevent Avahi from publishing its records, editand ensure the following line appears in thesection:",
+ "descriptions": [
+ {
+ "data": "This helps ensure that no record will be published by Avahi.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Avahi Publishing\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/avahi/avahi-daemon.conf\",\n \"[publish]\"\n ],\n \"pre\": \"disable-publishing=yes\",\n \"text\": \"To prevent Avahi from publishing its records, editand ensure the following line appears in thesection:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"This helps ensure that no record will be published by Avahi.\",\n \"lang\": \"en-US\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_avahi_disable_publishing\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To prevent Avahi from publishing its records, editand ensure the following line appears in thesection:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "The Cron service should be installed.",
+ "group_id": "xccdf_org.ssgproject.content_group_cron_and_at",
+ "group_title": "Cron and At Daemons",
+ "group_description": "The cron and at services are used to allow commands to\nbe executed at a later time. The cron service is required by almost\nall systems to perform necessary maintenance tasks, while at may or\nmay not be required on a given system. Both daemons should be\nconfigured defensively.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_cron_installed",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_cron_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R50)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_cron_installed",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R50)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Install the cron service",
+ "id": "xccdf_org.ssgproject.content_rule_package_cron_installed",
+ "desc": "The Cron service should be installed.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-package_cron_installed:def:1",
+ "label": "check"
+ },
+ {
+ "data": "The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Install the cron service\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"The Cron service should be installed.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R50)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nDEBIAN_FRONTEND=noninteractive apt-get install -y \\\"cron\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"package_cron_installed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Ensure cron is installed\\n package:\\n name: cron\\n state: present\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - package_cron_installed\",\n \"id\": \"package_cron_installed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include install_cron\\n\\nclass install_cron {\\n package { 'cron':\\n ensure => 'installed',\\n }\\n}\",\n \"id\": \"package_cron_installed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[[packages]]\\nname = \\\"cron\\\"\\nversion = \\\"*\\\"\",\n \"id\": \"package_cron_installed\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_cron_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_package_cron_installed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The Cron service should be installed.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theservice is used to execute commands at\npreconfigured times. It is required by almost all systems to perform necessary\nmaintenance tasks, such as notifying root of system activity.\n\nTheservice can be enabled with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_cron_and_at",
+ "group_title": "Cron and At Daemons",
+ "group_description": "The cron and at services are used to allow commands to\nbe executed at a later time. The cron service is required by almost\nall systems to perform necessary maintenance tasks, while at may or\nmay not be required on a given system. Both daemons should be\nconfigured defensively.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_cron_enabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_cron_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_cron_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_cron_enabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable cron Service",
+ "id": "xccdf_org.ssgproject.content_rule_service_cron_enabled",
+ "desc": "Theservice is used to execute commands at\npreconfigured times. It is required by almost all systems to perform necessary\nmaintenance tasks, such as notifying root of system activity.\n\nTheservice can be enabled with the following command:",
+ "descriptions": [
+ {
+ "data": "Due to its usage for maintenance and security-supporting tasks,\nenabling the cron daemon is essential.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable cron Service\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"crond\",\n \"cron\"\n ],\n \"pre\": \"$ sudo systemctl enable cron.service\",\n \"text\": \"Theservice is used to execute commands at\\npreconfigured times. It is required by almost all systems to perform necessary\\nmaintenance tasks, such as notifying root of system activity.\\n\\nTheservice can be enabled with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Due to its usage for maintenance and security-supporting tasks,\\nenabling the cron daemon is essential.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" unmask 'cron.service'\\n\\\"$SYSTEMCTL_EXEC\\\" start 'cron.service'\\n\\\"$SYSTEMCTL_EXEC\\\" enable 'cron.service'\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_cron_enabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Enable service cron\\n block:\\n\\n - name: Gather the package facts\\n package_facts:\\n manager: auto\\n\\n - name: Enable service cron\\n service:\\n name: cron\\n enabled: 'yes'\\n state: started\\n masked: 'no'\\n when:\\n - '\\\"cron\\\" in ansible_facts.packages'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_cron_enabled\",\n \"id\": \"service_cron_enabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include enable_cron\\n\\nclass enable_cron {\\n service {'cron':\\n enable => true,\\n ensure => 'running',\\n }\\n}\",\n \"id\": \"service_cron_enabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[customizations.services]\\nenabled = [\\\"cron\\\"]\",\n \"id\": \"service_cron_enabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_cron_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_cron_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_service_cron_enabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice is used to execute commands at\npreconfigured times. It is required by almost all systems to perform necessary\nmaintenance tasks, such as notifying root of system activity.\n\nTheservice can be enabled with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "high",
+ "description": "The inet-based telnet daemon should be uninstalled.",
+ "group_id": "xccdf_org.ssgproject.content_group_deprecated",
+ "group_title": "Deprecated services",
+ "group_description": "Some deprecated software services impact the overall system security due to their behavior (leak of\nconfidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_inetutils-telnetd_removed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "NT007(R03)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "NT007(R03)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Uninstall the inet-based telnet server",
+ "id": "xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed",
+ "desc": "The inet-based telnet daemon should be uninstalled.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-package_inetutils-telnetd_removed:def:1",
+ "label": "check"
+ },
+ {
+ "data": "allows clear text communications, and does not protect any\ndata transmission between client and server. Any confidential data can be\nlistened and no integrity checking is made.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Uninstall the inet-based telnet server\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"The inet-based telnet daemon should be uninstalled.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"NT007(R03)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": \"telnet\",\n \"text\": \"allows clear text communications, and does not protect any\\ndata transmission between client and server. Any confidential data can be\\nlistened and no integrity checking is made.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# CAUTION: This remediation script will remove inetutils-telnetd\\n#\\t from the system, and may remove any packages\\n#\\t that depend on inetutils-telnetd. Execute this\\n#\\t remediation AFTER testing on a non-production\\n#\\t system!\\n\\nDEBIAN_FRONTEND=noninteractive apt-get remove -y \\\"inetutils-telnetd\\\"\",\n \"id\": \"package_inetutils-telnetd_removed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure inetutils-telnetd is removed\\n package:\\n name: inetutils-telnetd\\n state: absent\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - high_severity\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - package_inetutils-telnetd_removed\",\n \"id\": \"package_inetutils-telnetd_removed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"include remove_inetutils-telnetd\\n\\nclass remove_inetutils-telnetd {\\n package { 'inetutils-telnetd':\\n ensure => 'purged',\\n }\\n}\",\n \"id\": \"package_inetutils-telnetd_removed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_inetutils-telnetd_removed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The inet-based telnet daemon should be uninstalled.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "The support for Yellowpages should not be installed unless it is required.",
+ "group_id": "xccdf_org.ssgproject.content_group_deprecated",
+ "group_title": "Deprecated services",
+ "group_description": "Some deprecated software services impact the overall system security due to their behavior (leak of\nconfidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_nis_removed",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_nis_removed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_nis_removed",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Uninstall the nis package",
+ "id": "xccdf_org.ssgproject.content_rule_package_nis_removed",
+ "desc": "The support for Yellowpages should not be installed unless it is required.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-package_nis_removed:def:1",
+ "label": "check"
+ },
+ {
+ "data": "NIS is the historical SUN service for central account management, more and more replaced by LDAP.\nNIS does not support efficiently security constraints, ACL, etc. and should not be used.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Uninstall the nis package\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"The support for Yellowpages should not be installed unless it is required.\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"NIS is the historical SUN service for central account management, more and more replaced by LDAP.\\nNIS does not support efficiently security constraints, ACL, etc. and should not be used.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# CAUTION: This remediation script will remove nis\\n#\\t from the system, and may remove any packages\\n#\\t that depend on nis. Execute this\\n#\\t remediation AFTER testing on a non-production\\n#\\t system!\\n\\nDEBIAN_FRONTEND=noninteractive apt-get remove -y \\\"nis\\\"\",\n \"id\": \"package_nis_removed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure nis is removed\\n package:\\n name: nis\\n state: absent\\n tags:\\n - disable_strategy\\n - low_complexity\\n - low_disruption\\n - low_severity\\n - no_reboot_needed\\n - package_nis_removed\",\n \"id\": \"package_nis_removed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"include remove_nis\\n\\nclass remove_nis {\\n package { 'nis':\\n ensure => 'purged',\\n }\\n}\",\n \"id\": \"package_nis_removed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_nis_removed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_package_nis_removed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The support for Yellowpages should not be installed unless it is required.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.",
+ "group_id": "xccdf_org.ssgproject.content_group_deprecated",
+ "group_title": "Deprecated services",
+ "group_description": "Some deprecated software services impact the overall system security due to their behavior (leak of\nconfidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_ntpdate_removed",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_ntpdate_removed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_ntpdate_removed",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Uninstall the ntpdate package",
+ "id": "xccdf_org.ssgproject.content_rule_package_ntpdate_removed",
+ "desc": "ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-package_ntpdate_removed:def:1",
+ "label": "check"
+ },
+ {
+ "data": "ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Uninstall the ntpdate package\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# CAUTION: This remediation script will remove ntpdate\\n#\\t from the system, and may remove any packages\\n#\\t that depend on ntpdate. Execute this\\n#\\t remediation AFTER testing on a non-production\\n#\\t system!\\n\\nDEBIAN_FRONTEND=noninteractive apt-get remove -y \\\"ntpdate\\\"\",\n \"id\": \"package_ntpdate_removed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure ntpdate is removed\\n package:\\n name: ntpdate\\n state: absent\\n tags:\\n - disable_strategy\\n - low_complexity\\n - low_disruption\\n - low_severity\\n - no_reboot_needed\\n - package_ntpdate_removed\",\n \"id\": \"package_ntpdate_removed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"include remove_ntpdate\\n\\nclass remove_ntpdate {\\n package { 'ntpdate':\\n ensure => 'purged',\\n }\\n}\",\n \"id\": \"package_ntpdate_removed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_ntpdate_removed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_package_ntpdate_removed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "high",
+ "description": "Thedaemon, even with ssl support, should be uninstalled.",
+ "group_id": "xccdf_org.ssgproject.content_group_deprecated",
+ "group_title": "Deprecated services",
+ "group_description": "Some deprecated software services impact the overall system security due to their behavior (leak of\nconfidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_telnetd-ssl_removed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "NT007(R02)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "NT007(R02)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Uninstall the ssl compliant telnet server",
+ "id": "xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed",
+ "desc": "Thedaemon, even with ssl support, should be uninstalled.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-package_telnetd-ssl_removed:def:1",
+ "label": "check"
+ },
+ {
+ "data": ", even with ssl support, should not be installed.\nWhen remote shell is required, up-to-date ssh daemon can be used.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Uninstall the ssl compliant telnet server\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"telnet\",\n \"text\": \"Thedaemon, even with ssl support, should be uninstalled.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"NT007(R02)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": \"telnet\",\n \"text\": \", even with ssl support, should not be installed.\\nWhen remote shell is required, up-to-date ssh daemon can be used.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# CAUTION: This remediation script will remove telnetd-ssl\\n#\\t from the system, and may remove any packages\\n#\\t that depend on telnetd-ssl. Execute this\\n#\\t remediation AFTER testing on a non-production\\n#\\t system!\\n\\nDEBIAN_FRONTEND=noninteractive apt-get remove -y \\\"telnetd-ssl\\\"\",\n \"id\": \"package_telnetd-ssl_removed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure telnetd-ssl is removed\\n package:\\n name: telnetd-ssl\\n state: absent\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - high_severity\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - package_telnetd-ssl_removed\",\n \"id\": \"package_telnetd-ssl_removed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"include remove_telnetd-ssl\\n\\nclass remove_telnetd-ssl {\\n package { 'telnetd-ssl':\\n ensure => 'purged',\\n }\\n}\",\n \"id\": \"package_telnetd-ssl_removed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_telnetd-ssl_removed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Thedaemon, even with ssl support, should be uninstalled.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "high",
+ "description": "The telnet daemon should be uninstalled.",
+ "group_id": "xccdf_org.ssgproject.content_group_deprecated",
+ "group_title": "Deprecated services",
+ "group_description": "Some deprecated software services impact the overall system security due to their behavior (leak of\nconfidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_telnetd_removed",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_telnetd_removed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R1)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "NT007(R03)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal",
+ "description": "This profile contains items to be applied systematically.",
+ "title": "Profile for ANSSI DAT-NT28 Minimal Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_telnetd_removed",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R1)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "NT007(R03)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Uninstall the telnet server",
+ "id": "xccdf_org.ssgproject.content_rule_package_telnetd_removed",
+ "desc": "The telnet daemon should be uninstalled.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-package_telnetd_removed:def:1",
+ "label": "check"
+ },
+ {
+ "data": "allows clear text communications, and does not protect\nany data transmission between client and server. Any confidential data\ncan be listened and no integrity checking is made.'",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Uninstall the telnet server\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"The telnet daemon should be uninstalled.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R1)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"NT007(R03)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": \"telnet\",\n \"text\": \"allows clear text communications, and does not protect\\nany data transmission between client and server. Any confidential data\\ncan be listened and no integrity checking is made.'\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# CAUTION: This remediation script will remove telnetd\\n#\\t from the system, and may remove any packages\\n#\\t that depend on telnetd. Execute this\\n#\\t remediation AFTER testing on a non-production\\n#\\t system!\\n\\nDEBIAN_FRONTEND=noninteractive apt-get remove -y \\\"telnetd\\\"\",\n \"id\": \"package_telnetd_removed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure telnetd is removed\\n package:\\n name: telnetd\\n state: absent\\n tags:\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_strategy\\n - high_severity\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - package_telnetd_removed\",\n \"id\": \"package_telnetd_removed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"include remove_telnetd\\n\\nclass remove_telnetd {\\n package { 'telnetd':\\n ensure => 'purged',\\n }\\n}\",\n \"id\": \"package_telnetd_removed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_telnetd_removed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_package_telnetd_removed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The telnet daemon should be uninstalled.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "unknown",
+ "description": "Create the file, and add an\nappropriate setting for each of the ten configuration settings which can be\nobtained via DHCP. For each setting, do one of the following:If the setting shouldbe configured remotely by the DHCP server,\nselect an appropriate static value, and add the line:If the setting should be configured remotely by the DHCP server, add the lines:For example, suppose the DHCP server should provide only the IP address itself\nand the subnet mask. Then the entire file should look like:",
+ "group_id": "xccdf_org.ssgproject.content_group_dhcp_client_configuration",
+ "group_title": "Configure DHCP Client if Necessary",
+ "group_description": "If DHCP must be used, then certain configuration changes can\nminimize the amount of information it receives and applies from the network,\nand thus the amount of incorrect information a rogue DHCP server could\nsuccessfully distribute. For more information on configuring dhclient, see theandman pages.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_dhcp_client_restrict_options",
+ "check": "\"\"",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_dhcp_client_restrict_options",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Minimize the DHCP-Configured Options",
+ "id": "xccdf_org.ssgproject.content_rule_dhcp_client_restrict_options",
+ "desc": "Create the file, and add an\nappropriate setting for each of the ten configuration settings which can be\nobtained via DHCP. For each setting, do one of the following:If the setting shouldbe configured remotely by the DHCP server,\nselect an appropriate static value, and add the line:If the setting should be configured remotely by the DHCP server, add the lines:For example, suppose the DHCP server should provide only the IP address itself\nand the subnet mask. Then the entire file should look like:",
+ "descriptions": [
+ {
+ "data": "By default, the DHCP client program, dhclient, requests and applies\nten configuration options (in addition to the IP address) from the DHCP server.\nsubnet-mask, broadcast-address, time-offset, routers, domain-name,\ndomain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers. Many\nof the options requested and applied by dhclient may be the same for every\nsystem on a network. It is recommended that almost all configuration options be\nassigned statically, and only options which must vary on a host-by-host basis\nbe assigned via DHCP. This limits the damage which can be done by a rogue DHCP\nserver. If appropriate for your site, it is also possible to supersede the\nhost-name directive in, establishing a static\nhostname for the system. However, dhclient does not use the host name option\nprovided by the DHCP server (instead using the value provided by a reverse DNS\nlookup).",
+ "label": "rationale"
+ },
+ {
+ "data": "In this example, the options nis-servers and\nnis-domain are set to empty strings, on the assumption that the deprecated NIS\nprotocol is not in use. It is necessary to supersede settings for unused\nservices so that they cannot be set by a hostile DHCP server. If an option is\nset to an empty string, dhclient will typically not attempt to configure the\nservice.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Minimize the DHCP-Configured Options\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/dhcp/dhclient.conf\",\n \"br\": \"\",\n \"i\": \"not\",\n \"pre\": [\n {\n \"code\": \"setting value\",\n \"text\": \"supersede;\"\n },\n {\n \"code\": [\n \"setting\",\n \"setting\"\n ],\n \"text\": \"request;\\nrequire;\"\n },\n \"supersede domain-name \\\"example.com\\\";\\nsupersede domain-name-servers 192.168.1.2;\\nsupersede nis-domain \\\"\\\";\\nsupersede nis-servers \\\"\\\";\\nsupersede ntp-servers \\\"ntp.example.com \\\";\\nsupersede routers 192.168.1.1;\\nsupersede time-offset -18000;\\nrequest subnet-mask;\\nrequire subnet-mask;\"\n ],\n \"text\": \"Create the file, and add an\\nappropriate setting for each of the ten configuration settings which can be\\nobtained via DHCP. For each setting, do one of the following:If the setting shouldbe configured remotely by the DHCP server,\\nselect an appropriate static value, and add the line:If the setting should be configured remotely by the DHCP server, add the lines:For example, suppose the DHCP server should provide only the IP address itself\\nand the subnet mask. Then the entire file should look like:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"In this example, the options nis-servers and\\nnis-domain are set to empty strings, on the assumption that the deprecated NIS\\nprotocol is not in use. It is necessary to supersede settings for unused\\nservices so that they cannot be set by a hostile DHCP server. If an option is\\nset to an empty string, dhclient will typically not attempt to configure the\\nservice.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"code\": \"/etc/dhcp/dhclient.conf\",\n \"text\": \"By default, the DHCP client program, dhclient, requests and applies\\nten configuration options (in addition to the IP address) from the DHCP server.\\nsubnet-mask, broadcast-address, time-offset, routers, domain-name,\\ndomain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers. Many\\nof the options requested and applied by dhclient may be the same for every\\nsystem on a network. It is recommended that almost all configuration options be\\nassigned statically, and only options which must vary on a host-by-host basis\\nbe assigned via DHCP. This limits the damage which can be done by a rogue DHCP\\nserver. If appropriate for your site, it is also possible to supersede the\\nhost-name directive in, establishing a static\\nhostname for the system. However, dhclient does not use the host name option\\nprovided by the DHCP server (instead using the value provided by a reverse DNS\\nlookup).\",\n \"lang\": \"en-US\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_dhcp_client_restrict_options\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Create the file, and add an\nappropriate setting for each of the ten configuration settings which can be\nobtained via DHCP. For each setting, do one of the following:If the setting shouldbe configured remotely by the DHCP server,\nselect an appropriate static value, and add the line:If the setting should be configured remotely by the DHCP server, add the lines:For example, suppose the DHCP server should provide only the IP address itself\nand the subnet mask. Then the entire file should look like:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "unknown",
+ "description": "Edit /etc/dhcp/dhcpd.conf. Examine each address range section within\nthe file, and ensure that the following options are not defined unless there is\nan operational need to provide this information via DHCP:",
+ "group_id": "xccdf_org.ssgproject.content_group_dhcp_server_configuration",
+ "group_title": "Configure DHCP Server",
+ "group_description": "If the system must act as a DHCP server, the configuration\ninformation it serves should be minimized. Also, support for other protocols\nand DNS-updating schemes should be explicitly disabled unless needed. The\nconfiguration file for dhcpd is called. The file\nbegins with a number of global configuration options. The remainder of the file\nis divided into sections, one for each block of addresses offered by dhcpd,\neach of which contains configuration options specific to that address\nblock.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_dhcp_server_minimize_served_info",
+ "check": "\"\"",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_dhcp_server_minimize_served_info",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Minimize Served Information",
+ "id": "xccdf_org.ssgproject.content_rule_dhcp_server_minimize_served_info",
+ "desc": "Edit /etc/dhcp/dhcpd.conf. Examine each address range section within\nthe file, and ensure that the following options are not defined unless there is\nan operational need to provide this information via DHCP:",
+ "descriptions": [
+ {
+ "data": "Because the configuration information provided by the DHCP server\ncould be maliciously provided to clients by a rogue DHCP server, the amount of\ninformation provided via DHCP should be minimized. Remove these definitions\nfrom the DHCP server configuration to ensure that legitimate clients do not\nunnecessarily rely on DHCP for this information.",
+ "label": "rationale"
+ },
+ {
+ "data": "By default, the Red Hat Enterprise Linux client installation uses DHCP\nto request much of the above information from the DHCP server. In particular,\ndomain-name, domain-name-servers, and routers are configured via DHCP. These\nsettings are typically necessary for proper network functionality, but are also\nusually static across systems at a given site.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Minimize Served Information\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": \"option domain-name\\noption domain-name-servers\\noption nis-domain\\noption nis-servers\\noption ntp-servers\\noption routers\\noption time-offset\",\n \"text\": \"Edit /etc/dhcp/dhcpd.conf. Examine each address range section within\\nthe file, and ensure that the following options are not defined unless there is\\nan operational need to provide this information via DHCP:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"By default, the Red Hat Enterprise Linux client installation uses DHCP\\nto request much of the above information from the DHCP server. In particular,\\ndomain-name, domain-name-servers, and routers are configured via DHCP. These\\nsettings are typically necessary for proper network functionality, but are also\\nusually static across systems at a given site.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Because the configuration information provided by the DHCP server\\ncould be maliciously provided to clients by a rogue DHCP server, the amount of\\ninformation provided via DHCP should be minimized. Remove these definitions\\nfrom the DHCP server configuration to ensure that legitimate clients do not\\nunnecessarily rely on DHCP for this information.\",\n \"lang\": \"en-US\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_dhcp_server_minimize_served_info\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Edit /etc/dhcp/dhcpd.conf. Examine each address range section within\nthe file, and ensure that the following options are not defined unless there is\nan operational need to provide this information via DHCP:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6 b."
+ ],
+ "severity": "medium",
+ "description": "fapolicyd needs be configured so that users cannot give access to their home folders to other users.",
+ "group_id": "xccdf_org.ssgproject.content_group_fapolicyd",
+ "group_title": "Application Whitelisting Daemon",
+ "group_description": "Fapolicyd (File Access Policy Daemon) implements application whitelisting\nto decide file access rights. Applications that are known via a reputation\nsource are allowed access while unknown applications are not. The daemon\nmakes use of the kernel'sinterface to determine file access rights.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_fapolicyd_prevent_home_folder_access",
+ "check": "\"\"",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CM-6 b",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00230",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_fapolicyd_prevent_home_folder_access",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CM-6 b",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00230",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "fapolicyd Must be Configured to Limit Access to Users Home Folders",
+ "id": "xccdf_org.ssgproject.content_rule_fapolicyd_prevent_home_folder_access",
+ "desc": "fapolicyd needs be configured so that users cannot give access to their home folders to other users.",
+ "descriptions": [
+ {
+ "data": "Users' home directories/folders may contain information of a sensitive nature.\nNon-privileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources.\nfapolicyd can confine users to their home directory, not allowing them to make any changes outside of their own home directories.\nConfining users to their home directory will minimize the risk of sharing information.",
+ "label": "rationale"
+ },
+ {
+ "data": "This rule is deprecated and there is no replacement at this time.\nPrevious versions of this rule provided fixtext that would cause fapolicyd not to start.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"fapolicyd Must be Configured to Limit Access to Users Home Folders\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"fapolicyd needs be configured so that users cannot give access to their home folders to other users.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"This rule is deprecated and there is no replacement at this time.\\nPrevious versions of this rule provided fixtext that would cause fapolicyd not to start.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CM-6 b\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00230\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Users' home directories/folders may contain information of a sensitive nature.\\nNon-privileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources.\\nfapolicyd can confine users to their home directory, not allowing them to make any changes outside of their own home directories.\\nConfining users to their home directory will minimize the risk of sharing information.\",\n \"lang\": \"en-US\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_fapolicyd_prevent_home_folder_access\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "fapolicyd needs be configured so that users cannot give access to their home folders to other users.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "unknown",
+ "description": "If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:Edit the file. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:If anonymous access is also required, add the anonymous usernames toas well.",
+ "group_id": "xccdf_org.ssgproject.content_group_ftp_restrict_users",
+ "group_title": "Restrict the Set of Users Allowed to Access FTP",
+ "group_description": "This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to\ndo this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an\nidentified need for this access.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_ftp_limit_users",
+ "check": "\"\"",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_ftp_limit_users",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Limit Users Allowed FTP Access if Necessary",
+ "id": "xccdf_org.ssgproject.content_rule_ftp_limit_users",
+ "desc": "If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:Edit the file. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:If anonymous access is also required, add the anonymous usernames toas well.",
+ "descriptions": [
+ {
+ "data": "Historically, the filecontained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration optionis set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Limit Users Allowed FTP Access if Necessary\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": [\n \"userlist_enable=YES\\nuserlist_file=/etc/vsftp.ftpusers\\nuserlist_deny=NO\",\n \"USERNAME\",\n \"anonymous\\nftp\"\n ],\n \"code\": [\n \"/etc/vsftp.ftpusers\",\n \"/etc/vsftp.ftpusers\"\n ],\n \"text\": \"If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:Edit the file. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:If anonymous access is also required, add the anonymous usernames toas well.\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"code\": [\n \"/etc/ftpusers\",\n \"userlist deny=NO\"\n ],\n \"text\": \"Historically, the filecontained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration optionis set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified.\",\n \"lang\": \"en-US\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_ftp_limit_users\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:Edit the file. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:If anonymous access is also required, add the anonymous usernames toas well.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "unknown",
+ "description": "By default,blocks access to the ports used by the web server.\n\nTo configureto allow port 21 traffic, one must editand(if IPv6 is in use).\nAdd the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:Edit the file. Ensure that the space-separated list of modules contains\nthe FTP connection tracking module:",
+ "group_id": "xccdf_org.ssgproject.content_group_ftp_configure_vsftpd",
+ "group_title": "Configure vsftpd to Provide FTP Service if Necessary",
+ "group_description": "The primary vsftpd configuration file is, if that file exists, orif it does not.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_ftp_configure_firewall",
+ "check": "\"\"",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_ftp_configure_firewall",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Configure Firewalls to Protect the FTP Server",
+ "id": "xccdf_org.ssgproject.content_rule_ftp_configure_firewall",
+ "desc": "By default,blocks access to the ports used by the web server.\n\nTo configureto allow port 21 traffic, one must editand(if IPv6 is in use).\nAdd the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:Edit the file. Ensure that the space-separated list of modules contains\nthe FTP connection tracking module:",
+ "descriptions": [
+ {
+ "data": "These settings configure the firewall to allow connections to an FTP server.\n\n\nThe first line allows initial connections to the FTP server port.\nFTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client\nand server negotiate an arbitrary port to be used for data transfer. Themodule is used by\niptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an\nFTP server to operate on a system which is running a firewall.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Configure Firewalls to Protect the FTP Server\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"iptables\",\n \"iptables\",\n \"/etc/sysconfig/iptables\",\n \"/etc/sysconfig/ip6tables\",\n \"/etc/sysconfig/iptables-config\"\n ],\n \"pre\": [\n \"-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT\",\n \"IPTABLES_MODULES=\\\"ip_conntrack_ftp\\\"\"\n ],\n \"text\": \"By default,blocks access to the ports used by the web server.\\n\\nTo configureto allow port 21 traffic, one must editand(if IPv6 is in use).\\nAdd the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:Edit the file. Ensure that the space-separated list of modules contains\\nthe FTP connection tracking module:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"code\": \"ip_conntrack_ftp\",\n \"text\": \"These settings configure the firewall to allow connections to an FTP server.\\n\\n\\nThe first line allows initial connections to the FTP server port.\\nFTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client\\nand server negotiate an arbitrary port to be used for data transfer. Themodule is used by\\niptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an\\nFTP server to operate on a system which is running a firewall.\",\n \"lang\": \"en-US\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_ftp_configure_firewall\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "By default,blocks access to the ports used by the web server.\n\nTo configureto allow port 21 traffic, one must editand(if IPv6 is in use).\nAdd the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:Edit the file. Ensure that the space-separated list of modules contains\nthe FTP connection tracking module:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000139",
+ "CCI-000366"
+ ],
+ "nist": [
+ "AU-5 a",
+ "CM-6 b",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Make sure that mails delivered to root user are forwarded to a monitored\nemail address. Make sure that the addressis a valid email address\nreachable from the system in question. Use the following command to\nconfigure the alias:",
+ "group_id": "xccdf_org.ssgproject.content_group_postfix_client",
+ "group_title": "Configure SMTP For Mail Clients",
+ "group_description": "This section discusses settings for Postfix in a submission-only\ne-mail configuration.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_postfix_root_mail_alias:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-postfix_client_configure_mail_alias:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-postfix_client_configure_mail_alias_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R49)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "CCI-000139",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000046-GPOS-00022",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": [
+ {
+ "title": {
+ "text": "Postfix Root Mail Alias",
+ "lang": "en-US"
+ },
+ "description": "Specify an email address (string) for a root mail alias.",
+ "value": [
+ "system.administrator@mail.mil",
+ {
+ "text": "system.administrator@mail.mil",
+ "selector": "mil_sysadmin"
+ }
+ ],
+ "id": "xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias",
+ "type": "string",
+ "interactive": "true"
+ }
+ ]
+ },
+ "refs": [
+ {
+ "ref": "BP28(R49)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "CCI-000139",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000046-GPOS-00022",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure System to Forward All Mail For The Root Account",
+ "id": "xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias",
+ "desc": "Make sure that mails delivered to root user are forwarded to a monitored\nemail address. Make sure that the addressis a valid email address\nreachable from the system in question. Use the following command to\nconfigure the alias:",
+ "descriptions": [
+ {
+ "data": "A number of system services utilize email messages sent to the root user to\nnotify system administrators of active or impending issues. These messages must\nbe forwarded to at least one monitored email address.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure System to Forward All Mail For The Root Account\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias\",\n \"use\": \"legacy\"\n },\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias\",\n \"use\": \"legacy\"\n },\n \"text\": \"$ sudo echo \\\"root:\\\" >> /etc/aliases\\n$ sudo newaliases\"\n },\n \"text\": \"Make sure that mails delivered to root user are forwarded to a monitored\\nemail address. Make sure that the addressis a valid email address\\nreachable from the system in question. Use the following command to\\nconfigure the alias:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R49)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"CCI-000139\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000046-GPOS-00022\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"A number of system services utilize email messages sent to the root user to\\nnotify system administrators of active or impending issues. These messages must\\nbe forwarded to at least one monitored email address.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-var_postfix_root_mail_alias:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-postfix_client_configure_mail_alias:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-postfix_client_configure_mail_alias_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Make sure that mails delivered to root user are forwarded to a monitored\nemail address. Make sure that the addressis a valid email address\nreachable from the system in question. Use the following command to\nconfigure the alias:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000139"
+ ],
+ "nist": [
+ "AU-5 a",
+ "AU-5 a.",
+ "AU-5 (1) ii."
+ ],
+ "severity": "medium",
+ "description": "Verify the administrators are notified in the event of an audit processing failure.\nCheck that the \"/etc/aliases\" file has a defined value for \"root\".",
+ "group_id": "xccdf_org.ssgproject.content_group_postfix_client",
+ "group_title": "Configure SMTP For Mail Clients",
+ "group_description": "This section discusses settings for Postfix in a submission-only\ne-mail configuration.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-postfix_client_configure_mail_alias_postmaster:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-postfix_client_configure_mail_alias_postmaster_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000139",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "AU-5(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-5.1(ii)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000046-GPOS-00022",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000139",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "AU-5(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-5.1(ii)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000046-GPOS-00022",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Configure System to Forward All Mail From Postmaster to The Root Account",
+ "id": "xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster",
+ "desc": "Verify the administrators are notified in the event of an audit processing failure.\nCheck that the \"/etc/aliases\" file has a defined value for \"root\".",
+ "descriptions": [
+ {
+ "data": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to\nprocess audit logs as required. Without this notification, the security personnel may be\nunaware of an impending failure of the audit capability, and system operation may be adversely\naffected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing\nmechanisms, and audit storage capacity being reached or exceeded.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure System to Forward All Mail From Postmaster to The Root Account\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"pre\": \"$ sudo grep \\\"postmaster:\\\\s*root$\\\" /etc/aliases\\n\\npostmaster: root\",\n \"text\": \"Verify the administrators are notified in the event of an audit processing failure.\\nCheck that the \\\"/etc/aliases\\\" file has a defined value for \\\"root\\\".\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000139\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"AU-5(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-5.1(ii)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000046-GPOS-00022\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"It is critical for the appropriate personnel to be aware if a system is at risk of failing to\\nprocess audit logs as required. Without this notification, the security personnel may be\\nunaware of an impending failure of the audit capability, and system operation may be adversely\\naffected.\\n\\nAudit processing failures include software/hardware errors, failures in the audit capturing\\nmechanisms, and audit storage capacity being reached or exceeded.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/aliases\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*postmaster\\\\s*:\\\\s*/Id\\\" \\\"/etc/aliases\\\"\\nelse\\n touch \\\"/etc/aliases\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/aliases\\\"\\n\\ncp \\\"/etc/aliases\\\" \\\"/etc/aliases.bak\\\"\\n# Insert at the end of the file\\nprintf '%s\\\\n' \\\"postmaster: root\\\" >> \\\"/etc/aliases\\\"\\n# Clean up after ourselves.\\nrm \\\"/etc/aliases.bak\\\"\\n\\nif [ -f /usr/bin/newaliases ]; then\\n newaliases\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"postfix_client_configure_mail_alias_postmaster\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Configure System to Forward All Mail From Postmaster to The Root Account\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/aliases\\n create: false\\n regexp: ^\\\\s*postmaster\\\\s*:\\\\s*\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/aliases\\n lineinfile:\\n path: /etc/aliases\\n create: false\\n regexp: ^\\\\s*postmaster\\\\s*:\\\\s*\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/aliases\\n lineinfile:\\n path: /etc/aliases\\n create: true\\n regexp: ^\\\\s*postmaster\\\\s*:\\\\s*\\n line: 'postmaster: root'\\n state: present\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AU-5(a)\\n - NIST-800-53-AU-5.1(ii)\\n - configure_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - postfix_client_configure_mail_alias_postmaster\\n\\n- name: Check if newaliases command is available\\n ansible.builtin.stat:\\n path: /usr/bin/newaliases\\n register: result_newaliases_present\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AU-5(a)\\n - NIST-800-53-AU-5.1(ii)\\n - configure_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - postfix_client_configure_mail_alias_postmaster\\n\\n- name: Update postfix aliases\\n ansible.builtin.command:\\n cmd: newaliases\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - result_newaliases_present.stat.exists\\n tags:\\n - NIST-800-53-AU-5(a)\\n - NIST-800-53-AU-5.1(ii)\\n - configure_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - postfix_client_configure_mail_alias_postmaster\",\n \"id\": \"postfix_client_configure_mail_alias_postmaster\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-postfix_client_configure_mail_alias_postmaster:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-postfix_client_configure_mail_alias_postmaster_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Verify the administrators are notified in the event of an audit processing failure.\nCheck that the \"/etc/aliases\" file has a defined value for \"root\".",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Set up a relay host that will act as a gateway for all outbound email.\nEdit the fileto ensure that only the followingline appears:",
+ "group_id": "xccdf_org.ssgproject.content_group_postfix_client",
+ "group_title": "Configure SMTP For Mail Clients",
+ "group_description": "This section discusses settings for Postfix in a submission-only\ne-mail configuration.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_postfix_client_configure_relayhost",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-postfix_client_configure_relayhost_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_postfix_client_configure_relayhost",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Configure System to Forward All Mail through a specific host",
+ "id": "xccdf_org.ssgproject.content_rule_postfix_client_configure_relayhost",
+ "desc": "Set up a relay host that will act as a gateway for all outbound email.\nEdit the fileto ensure that only the followingline appears:",
+ "descriptions": [
+ {
+ "data": "ocil:ssg-postfix_client_configure_relayhost_ocil:questionnaire:1",
+ "label": "check"
+ },
+ {
+ "data": "A central outbound email location ensures messages sent from any network host\ncan be audited for potential unexpected content. Tooling on the central server\nmay help prevent spam or viruses from being delivered.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Configure System to Forward All Mail through a specific host\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/postfix/main.cf\",\n \"relayhost\"\n ],\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_postfix_relayhost\",\n \"use\": \"legacy\"\n },\n \"text\": \"relayhost =\"\n },\n \"text\": \"Set up a relay host that will act as a gateway for all outbound email.\\nEdit the fileto ensure that only the followingline appears:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"A central outbound email location ensures messages sent from any network host\\ncan be audited for potential unexpected content. Tooling on the central server\\nmay help prevent spam or viruses from being delivered.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#package_postfix\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-postfix_client_configure_relayhost_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_postfix_client_configure_relayhost\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Set up a relay host that will act as a gateway for all outbound email.\nEdit the fileto ensure that only the followingline appears:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "A mail server is required for sending emails.\nThepackage can be installed with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_mail",
+ "group_title": "Mail Server Software",
+ "group_description": "Mail servers are used to send and receive email over the network.\nMail is a very common service, and Mail Transfer Agents (MTAs) are obvious\ntargets of network attack.\nEnsure that systems are not running MTAs unnecessarily,\nand configure needed MTAs as defensively as possible.Very few systems at any site should be configured to directly receive email over the\nnetwork. Users should instead use mail client programs to retrieve email\nfrom a central server that supports protocols such as IMAP or POP3.\nHowever, it is normal for most systems to be independently capable of sending email,\nfor instance so that cron jobs can report output to an administrator.\nMost MTAs, including Postfix, support a submission-only mode in which mail can be sent from\nthe local system to a central site MTA (or directly delivered to a local account),\nbut the system still cannot receive mail directly over a network.Theprogram in Ubuntu 18.04 permits selection of other mail server software\n(such as Sendmail), but Postfix is the default and is preferred.\nPostfix was coded with security in mind and can also be more effectively contained by\nSELinux as its modular design has resulted in separate processes performing specific actions.\nMore information is available on its website,.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_postfix_installed",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_postfix_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_postfix_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": {
+ "text": "SRG-OS-000046-GPOS-00022",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_postfix_installed",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os",
+ "ref": [
+ {
+ "text": "SRG-OS-000046-GPOS-00022"
+ }
+ ]
+ }
+ ],
+ "source_location": {},
+ "title": "The Postfix package is installed",
+ "id": "xccdf_org.ssgproject.content_rule_package_postfix_installed",
+ "desc": "A mail server is required for sending emails.\nThepackage can be installed with the following command:",
+ "descriptions": [
+ {
+ "data": "Emails can be used to notify designated personnel about important\nsystem events such as failures or warnings.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"The Postfix package is installed\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"postfix\",\n \"pre\": \"$ apt-get install postfix\",\n \"text\": \"A mail server is required for sending emails.\\nThepackage can be installed with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": {\n \"text\": \"SRG-OS-000046-GPOS-00022\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n \"rationale\": {\n \"text\": \"Emails can be used to notify designated personnel about important\\nsystem events such as failures or warnings.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nDEBIAN_FRONTEND=noninteractive apt-get install -y \\\"postfix\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"package_postfix_installed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Ensure postfix is installed\\n package:\\n name: postfix\\n state: present\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - package_postfix_installed\",\n \"id\": \"package_postfix_installed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include install_postfix\\n\\nclass install_postfix {\\n package { 'postfix':\\n ensure => 'installed',\\n }\\n}\",\n \"id\": \"package_postfix_installed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[[packages]]\\nname = \\\"postfix\\\"\\nversion = \\\"*\\\"\",\n \"id\": \"package_postfix_installed\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_postfix_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_postfix_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_package_postfix_installed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "A mail server is required for sending emails.\nThepackage can be installed with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "unknown",
+ "description": "The netfs script manages the boot-time mounting of several types\nof networked filesystems, of which NFS and Samba are the most common. If these\nfilesystem types are not in use, the script can be disabled, protecting the\nsystem somewhat against accidental or malicious changes toand against flaws in the netfs script itself.\n\nTheservice can be disabled with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_disabling_netfs",
+ "group_title": "Disable netfs if Possible",
+ "group_description": "To determine if any network filesystems handled by netfs are\ncurrently mounted on the system execute the following command:If the command did not return any output then disable netfs.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_netfs_disabled",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_netfs_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_netfs_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable Network File Systems (netfs)",
+ "id": "xccdf_org.ssgproject.content_rule_service_netfs_disabled",
+ "desc": "The netfs script manages the boot-time mounting of several types\nof networked filesystems, of which NFS and Samba are the most common. If these\nfilesystem types are not in use, the script can be disabled, protecting the\nsystem somewhat against accidental or malicious changes toand against flaws in the netfs script itself.\n\nTheservice can be disabled with the following command:",
+ "descriptions": [
+ {
+ "data": "oval:ssg-service_netfs_disabled:def:1",
+ "label": "check"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Network File Systems (netfs)\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/fstab\",\n \"netfs\"\n ],\n \"pre\": \"$ sudo systemctl mask --now netfs.service\",\n \"text\": \"The netfs script manages the boot-time mounting of several types\\nof networked filesystems, of which NFS and Samba are the most common. If these\\nfilesystem types are not in use, the script can be disabled, protecting the\\nsystem somewhat against accidental or malicious changes toand against flaws in the netfs script itself.\\n\\nTheservice can be disabled with the following command:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" stop 'netfs.service'\\n\\\"$SYSTEMCTL_EXEC\\\" disable 'netfs.service'\\n\\\"$SYSTEMCTL_EXEC\\\" mask 'netfs.service'\\n# Disable socket activation if we have a unit file for it\\nif \\\"$SYSTEMCTL_EXEC\\\" -q list-unit-files netfs.socket; then\\n \\\"$SYSTEMCTL_EXEC\\\" stop 'netfs.socket'\\n \\\"$SYSTEMCTL_EXEC\\\" mask 'netfs.socket'\\nfi\\n# The service may not be running because it has been started and failed,\\n# so let's reset the state so OVAL checks pass.\\n# Service should be 'inactive', not 'failed' after reboot though.\\n\\\"$SYSTEMCTL_EXEC\\\" reset-failed 'netfs.service' || true\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_netfs_disabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Disable service netfs\\n block:\\n\\n - name: Disable service netfs\\n systemd:\\n name: netfs.service\\n enabled: 'no'\\n state: stopped\\n masked: 'yes'\\n ignore_errors: 'yes'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - service_netfs_disabled\\n - unknown_severity\\n\\n- name: Unit Socket Exists - netfs.socket\\n command: systemctl list-unit-files netfs.socket\\n register: socket_file_exists\\n changed_when: false\\n ignore_errors: true\\n check_mode: false\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - service_netfs_disabled\\n - unknown_severity\\n\\n- name: Disable socket netfs\\n systemd:\\n name: netfs.socket\\n enabled: 'no'\\n state: stopped\\n masked: 'yes'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - '\\\"netfs.socket\\\" in socket_file_exists.stdout_lines[1]'\\n tags:\\n - disable_strategy\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - service_netfs_disabled\\n - unknown_severity\",\n \"id\": \"service_netfs_disabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"include disable_netfs\\n\\nclass disable_netfs {\\n service {'netfs':\\n enable => false,\\n ensure => 'stopped',\\n }\\n}\",\n \"id\": \"service_netfs_disabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"apiVersion: machineconfiguration.openshift.io/v1\\nkind: MachineConfig\\nspec:\\n config:\\n ignition:\\n version: 3.1.0\\n systemd:\\n units:\\n - name: netfs.service\\n enabled: false\\n mask: true\\n - name: netfs.socket\\n enabled: false\\n mask: true\",\n \"id\": \"service_netfs_disabled\",\n \"system\": \"urn:xccdf:fix:script:kubernetes\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"[customizations.services]\\ndisabled = [\\\"netfs\\\"]\",\n \"id\": \"service_netfs_disabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_netfs_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_service_netfs_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The netfs script manages the boot-time mounting of several types\nof networked filesystems, of which NFS and Samba are the most common. If these\nfilesystem types are not in use, the script can be disabled, protecting the\nsystem somewhat against accidental or malicious changes toand against flaws in the netfs script itself.\n\nTheservice can be disabled with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "low",
+ "description": "Themaps all uids and gids to an anonymous user.\nThis should be disabled by removing any instances of theoption from the file.",
+ "group_id": "xccdf_org.ssgproject.content_group_nfs_configuring_servers",
+ "group_title": "Configure NFS Servers",
+ "group_description": "The steps in this section are appropriate for systems which operate as NFS servers.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_no_all_squash_exports",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_all_squash_exports_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_no_all_squash_exports",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Ensure All-Squashing Disabled On All Exports",
+ "id": "xccdf_org.ssgproject.content_rule_no_all_squash_exports",
+ "desc": "Themaps all uids and gids to an anonymous user.\nThis should be disabled by removing any instances of theoption from the file.",
+ "descriptions": [
+ {
+ "data": "ocil:ssg-no_all_squash_exports_ocil:questionnaire:1",
+ "label": "check"
+ },
+ {
+ "data": "The all_squash option maps all client requests to a single anonymous\nuid/gid on the NFS server, negating the ability to track file access\nby user ID.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.3,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure All-Squashing Disabled On All Exports\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"all_squash\",\n \"all_squash\",\n \"/etc/exports\"\n ],\n \"text\": \"Themaps all uids and gids to an anonymous user.\\nThis should be disabled by removing any instances of theoption from the file.\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"The all_squash option maps all client requests to a single anonymous\\nuid/gid on the NFS server, negating the ability to track file access\\nby user ID.\",\n \"lang\": \"en-US\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_all_squash_exports_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_no_all_squash_exports\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Themaps all uids and gids to an anonymous user.\nThis should be disabled by removing any instances of theoption from the file.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "System time should be synchronized between all systems in an environment. This is\ntypically done by establishing an authoritative time server or set of servers and having all\nsystems synchronize their clocks to them.\nThepackage can be installed with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_ntp",
+ "group_title": "Network Time Protocol",
+ "group_description": "The Network Time Protocol is used to manage the system\nclock over a network. Computer clocks are not very accurate, so\ntime will drift unpredictably on unmanaged systems. Central time\nprotocols can be used both to ensure that time is consistent among\na network of systems, and that their time is consistent with the\noutside world.If every system on a network reliably reports the same time, then it is much\neasier to correlate log messages in case of an attack. In addition, a number of\ncryptographic protocols (such as Kerberos) use timestamps to prevent certain\ntypes of attacks. If your network does not have synchronized time, these\nprotocols may be unreliable or even unusable.Depending on the specifics of the network, global time accuracy may be just as\nimportant as local synchronization, or not very important at all. If your\nnetwork is connected to the Internet, using a public timeserver (or one\nprovided by your enterprise) provides globally accurate timestamps which may be\nessential in investigating or responding to an attack which originated outside\nof your network.A typical network setup involves a small number of internal systems operating\nas NTP servers, and the remainder obtaining time information from those\ninternal servers.There is a choice between the daemonsand, which\nare available from the repositories in theandpackages respectively.The defaultdaemon can work well when external time references\nare only intermittently accesible, can perform well even when the network is\ncongested for longer periods of time, can usually synchronize the clock faster\nand with better time accuracy, and quickly adapts to sudden changes in the rate\nof the clock, for example, due to changes in the temperature of the crystal\noscillator.should be considered for all systems which are\nfrequently suspended or otherwise intermittently disconnected and reconnected\nto a network. Mobile and virtual systems for example.TheNTP daemon fully supports NTP protocol version 4 (RFC 5905),\nincluding broadcast, multicast, manycast clients and servers, and the orphan\nmode. It also supports extra authentication schemes based on public-key\ncryptography (RFC 5906). The NTP daemon () should be considered\nfor systems which are normally kept permanently on. Systems which are required\nto use broadcast or multicast IP, or to perform authentication of packets with\ntheprotocol, should consider using.Refer tofor more detailed comparison of features ofanddaemon features respectively, and for further guidance how to\nchoose between the two NTP daemons.The upstream manual pages atforandforprovide additional\ninformation on the capabilities and configuration of each of the NTP daemons.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_chrony_installed",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_chrony_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_chrony_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R43)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "0988",
+ "href": ""
+ },
+ {
+ "text": "1405",
+ "href": ""
+ },
+ {
+ "text": "FMT_SMF_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-10.6.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000355-GPOS-00143",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_chrony_installed",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R43)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "0988"
+ },
+ {
+ "ref": "1405"
+ },
+ {
+ "ref": "FMT_SMF_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-10.6.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000355-GPOS-00143",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "The Chrony package is installed",
+ "id": "xccdf_org.ssgproject.content_rule_package_chrony_installed",
+ "desc": "System time should be synchronized between all systems in an environment. This is\ntypically done by establishing an authoritative time server or set of servers and having all\nsystems synchronize their clocks to them.\nThepackage can be installed with the following command:",
+ "descriptions": [
+ {
+ "data": "Time synchronization is important to support time sensitive security mechanisms like\nKerberos and also ensures log files have consistent time records across the enterprise,\nwhich aids in forensic investigations.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"The Chrony package is installed\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"chrony\",\n \"pre\": \"$ apt-get install chrony\",\n \"text\": \"System time should be synchronized between all systems in an environment. This is\\ntypically done by establishing an authoritative time server or set of servers and having all\\nsystems synchronize their clocks to them.\\nThepackage can be installed with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R43)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"0988\",\n \"href\": \"\"\n },\n {\n \"text\": \"1405\",\n \"href\": \"\"\n },\n {\n \"text\": \"FMT_SMF_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-10.6.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000355-GPOS-00143\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Time synchronization is important to support time sensitive security mechanisms like\\nKerberos and also ensures log files have consistent time records across the enterprise,\\nwhich aids in forensic investigations.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nDEBIAN_FRONTEND=noninteractive apt-get install -y \\\"chrony\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"package_chrony_installed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Ensure chrony is installed\\n package:\\n name: chrony\\n state: present\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - PCI-DSS-Req-10.6.1\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - package_chrony_installed\",\n \"id\": \"package_chrony_installed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include install_chrony\\n\\nclass install_chrony {\\n package { 'chrony':\\n ensure => 'installed',\\n }\\n}\",\n \"id\": \"package_chrony_installed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[[packages]]\\nname = \\\"chrony\\\"\\nversion = \\\"*\\\"\",\n \"id\": \"package_chrony_installed\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_chrony_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_chrony_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_package_chrony_installed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "System time should be synchronized between all systems in an environment. This is\ntypically done by establishing an authoritative time server or set of servers and having all\nsystems synchronize their clocks to them.\nThepackage can be installed with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000160"
+ ],
+ "nist": [
+ "AU-8 (1)",
+ "CM-6 a."
+ ],
+ "severity": "high",
+ "description": "The ntpd service should be installed.",
+ "group_id": "xccdf_org.ssgproject.content_group_ntp",
+ "group_title": "Network Time Protocol",
+ "group_description": "The Network Time Protocol is used to manage the system\nclock over a network. Computer clocks are not very accurate, so\ntime will drift unpredictably on unmanaged systems. Central time\nprotocols can be used both to ensure that time is consistent among\na network of systems, and that their time is consistent with the\noutside world.If every system on a network reliably reports the same time, then it is much\neasier to correlate log messages in case of an attack. In addition, a number of\ncryptographic protocols (such as Kerberos) use timestamps to prevent certain\ntypes of attacks. If your network does not have synchronized time, these\nprotocols may be unreliable or even unusable.Depending on the specifics of the network, global time accuracy may be just as\nimportant as local synchronization, or not very important at all. If your\nnetwork is connected to the Internet, using a public timeserver (or one\nprovided by your enterprise) provides globally accurate timestamps which may be\nessential in investigating or responding to an attack which originated outside\nof your network.A typical network setup involves a small number of internal systems operating\nas NTP servers, and the remainder obtaining time information from those\ninternal servers.There is a choice between the daemonsand, which\nare available from the repositories in theandpackages respectively.The defaultdaemon can work well when external time references\nare only intermittently accesible, can perform well even when the network is\ncongested for longer periods of time, can usually synchronize the clock faster\nand with better time accuracy, and quickly adapts to sudden changes in the rate\nof the clock, for example, due to changes in the temperature of the crystal\noscillator.should be considered for all systems which are\nfrequently suspended or otherwise intermittently disconnected and reconnected\nto a network. Mobile and virtual systems for example.TheNTP daemon fully supports NTP protocol version 4 (RFC 5905),\nincluding broadcast, multicast, manycast clients and servers, and the orphan\nmode. It also supports extra authentication schemes based on public-key\ncryptography (RFC 5906). The NTP daemon () should be considered\nfor systems which are normally kept permanently on. Systems which are required\nto use broadcast or multicast IP, or to perform authentication of packets with\ntheprotocol, should consider using.Refer tofor more detailed comparison of features ofanddaemon features respectively, and for further guidance how to\nchoose between the two NTP daemons.The upstream manual pages atforandforprovide additional\ninformation on the capabilities and configuration of each of the NTP daemons.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_ntp_installed",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_ntp_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_ntp_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "NT012(R03)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000160",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.4",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_ntp_installed",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "NT012(R03)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000160",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.4",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Install the ntp service",
+ "id": "xccdf_org.ssgproject.content_rule_package_ntp_installed",
+ "desc": "The ntpd service should be installed.",
+ "descriptions": [
+ {
+ "data": "Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Install the ntp service\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"text\": \"The ntpd service should be installed.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"NT012(R03)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000160\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.4\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nDEBIAN_FRONTEND=noninteractive apt-get install -y \\\"ntp\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"package_ntp_installed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Ensure ntp is installed\\n package:\\n name: ntp\\n state: present\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4\\n - enable_strategy\\n - high_severity\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - package_ntp_installed\",\n \"id\": \"package_ntp_installed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include install_ntp\\n\\nclass install_ntp {\\n package { 'ntp':\\n ensure => 'installed',\\n }\\n}\",\n \"id\": \"package_ntp_installed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[[packages]]\\nname = \\\"ntp\\\"\\nversion = \\\"*\\\"\",\n \"id\": \"package_ntp_installed\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_ntp_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_ntp_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_package_ntp_installed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The ntpd service should be installed.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to\nsynchronize system clocks across a variety of systems and use a source that is highly\naccurate. More information on chrony can be found at.\nChrony can be configured to be a client and/or a server.\nTo enable Chronyd service, you can run:This recommendation only applies if chrony is in use on the system.",
+ "group_id": "xccdf_org.ssgproject.content_group_ntp",
+ "group_title": "Network Time Protocol",
+ "group_description": "The Network Time Protocol is used to manage the system\nclock over a network. Computer clocks are not very accurate, so\ntime will drift unpredictably on unmanaged systems. Central time\nprotocols can be used both to ensure that time is consistent among\na network of systems, and that their time is consistent with the\noutside world.If every system on a network reliably reports the same time, then it is much\neasier to correlate log messages in case of an attack. In addition, a number of\ncryptographic protocols (such as Kerberos) use timestamps to prevent certain\ntypes of attacks. If your network does not have synchronized time, these\nprotocols may be unreliable or even unusable.Depending on the specifics of the network, global time accuracy may be just as\nimportant as local synchronization, or not very important at all. If your\nnetwork is connected to the Internet, using a public timeserver (or one\nprovided by your enterprise) provides globally accurate timestamps which may be\nessential in investigating or responding to an attack which originated outside\nof your network.A typical network setup involves a small number of internal systems operating\nas NTP servers, and the remainder obtaining time information from those\ninternal servers.There is a choice between the daemonsand, which\nare available from the repositories in theandpackages respectively.The defaultdaemon can work well when external time references\nare only intermittently accesible, can perform well even when the network is\ncongested for longer periods of time, can usually synchronize the clock faster\nand with better time accuracy, and quickly adapts to sudden changes in the rate\nof the clock, for example, due to changes in the temperature of the crystal\noscillator.should be considered for all systems which are\nfrequently suspended or otherwise intermittently disconnected and reconnected\nto a network. Mobile and virtual systems for example.TheNTP daemon fully supports NTP protocol version 4 (RFC 5905),\nincluding broadcast, multicast, manycast clients and servers, and the orphan\nmode. It also supports extra authentication schemes based on public-key\ncryptography (RFC 5906). The NTP daemon () should be considered\nfor systems which are normally kept permanently on. Systems which are required\nto use broadcast or multicast IP, or to perform authentication of packets with\ntheprotocol, should consider using.Refer tofor more detailed comparison of features ofanddaemon features respectively, and for further guidance how to\nchoose between the two NTP daemons.The upstream manual pages atforandforprovide additional\ninformation on the capabilities and configuration of each of the NTP daemons.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_chronyd_enabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_chronyd_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_chronyd_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "0988",
+ "href": ""
+ },
+ {
+ "text": "1405",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000355-GPOS-00143",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_chronyd_enabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "0988"
+ },
+ {
+ "ref": "1405"
+ },
+ {
+ "ref": "SRG-OS-000355-GPOS-00143",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "The Chronyd service is enabled",
+ "id": "xccdf_org.ssgproject.content_rule_service_chronyd_enabled",
+ "desc": "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to\nsynchronize system clocks across a variety of systems and use a source that is highly\naccurate. More information on chrony can be found at.\nChrony can be configured to be a client and/or a server.\nTo enable Chronyd service, you can run:This recommendation only applies if chrony is in use on the system.",
+ "descriptions": [
+ {
+ "data": "If chrony is in use on the system proper configuration is vital to ensuring time\nsynchronization is working properly.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"The Chronyd service is enabled\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"a\": {\n \"text\": \"http://chrony.tuxfamily.org/\",\n \"href\": \"http://chrony.tuxfamily.org/\"\n },\n \"code\": \"# systemctl enable chronyd.service\",\n \"text\": \"chrony is a daemon which implements the Network Time Protocol (NTP) is designed to\\nsynchronize system clocks across a variety of systems and use a source that is highly\\naccurate. More information on chrony can be found at.\\nChrony can be configured to be a client and/or a server.\\nTo enable Chronyd service, you can run:This recommendation only applies if chrony is in use on the system.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"0988\",\n \"href\": \"\"\n },\n {\n \"text\": \"1405\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000355-GPOS-00143\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"If chrony is in use on the system proper configuration is vital to ensuring time\\nsynchronization is working properly.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#machine\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" unmask 'chronyd.service'\\n\\\"$SYSTEMCTL_EXEC\\\" start 'chronyd.service'\\n\\\"$SYSTEMCTL_EXEC\\\" enable 'chronyd.service'\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_chronyd_enabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Enable service chronyd\\n block:\\n\\n - name: Gather the package facts\\n package_facts:\\n manager: auto\\n\\n - name: Enable service chronyd\\n service:\\n name: chronyd\\n enabled: 'yes'\\n state: started\\n masked: 'no'\\n when:\\n - '\\\"chrony\\\" in ansible_facts.packages'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_chronyd_enabled\",\n \"id\": \"service_chronyd_enabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include enable_chronyd\\n\\nclass enable_chronyd {\\n service {'chronyd':\\n enable => true,\\n ensure => 'running',\\n }\\n}\",\n \"id\": \"service_chronyd_enabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[customizations.services]\\nenabled = [\\\"chronyd\\\"]\",\n \"id\": \"service_chronyd_enabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_chronyd_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_chronyd_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_service_chronyd_enabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to\nsynchronize system clocks across a variety of systems and use a source that is highly\naccurate. More information on chrony can be found at.\nChrony can be configured to be a client and/or a server.\nTo enable Chronyd service, you can run:This recommendation only applies if chrony is in use on the system.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000160"
+ ],
+ "nist": [
+ "AU-8 (1)",
+ "CM-6 a.",
+ "AU-8 (1) a."
+ ],
+ "severity": "high",
+ "description": "Theservice can be enabled with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_ntp",
+ "group_title": "Network Time Protocol",
+ "group_description": "The Network Time Protocol is used to manage the system\nclock over a network. Computer clocks are not very accurate, so\ntime will drift unpredictably on unmanaged systems. Central time\nprotocols can be used both to ensure that time is consistent among\na network of systems, and that their time is consistent with the\noutside world.If every system on a network reliably reports the same time, then it is much\neasier to correlate log messages in case of an attack. In addition, a number of\ncryptographic protocols (such as Kerberos) use timestamps to prevent certain\ntypes of attacks. If your network does not have synchronized time, these\nprotocols may be unreliable or even unusable.Depending on the specifics of the network, global time accuracy may be just as\nimportant as local synchronization, or not very important at all. If your\nnetwork is connected to the Internet, using a public timeserver (or one\nprovided by your enterprise) provides globally accurate timestamps which may be\nessential in investigating or responding to an attack which originated outside\nof your network.A typical network setup involves a small number of internal systems operating\nas NTP servers, and the remainder obtaining time information from those\ninternal servers.There is a choice between the daemonsand, which\nare available from the repositories in theandpackages respectively.The defaultdaemon can work well when external time references\nare only intermittently accesible, can perform well even when the network is\ncongested for longer periods of time, can usually synchronize the clock faster\nand with better time accuracy, and quickly adapts to sudden changes in the rate\nof the clock, for example, due to changes in the temperature of the crystal\noscillator.should be considered for all systems which are\nfrequently suspended or otherwise intermittently disconnected and reconnected\nto a network. Mobile and virtual systems for example.TheNTP daemon fully supports NTP protocol version 4 (RFC 5905),\nincluding broadcast, multicast, manycast clients and servers, and the orphan\nmode. It also supports extra authentication schemes based on public-key\ncryptography (RFC 5906). The NTP daemon () should be considered\nfor systems which are normally kept permanently on. Systems which are required\nto use broadcast or multicast IP, or to perform authentication of packets with\ntheprotocol, should consider using.Refer tofor more detailed comparison of features ofanddaemon features respectively, and for further guidance how to\nchoose between the two NTP daemons.The upstream manual pages atforandforprovide additional\ninformation on the capabilities and configuration of each of the NTP daemons.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_ntp_enabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_ntp_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_ntp_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "NT012(R03)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000160",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-8(1)(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.4",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_ntp_enabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "NT012(R03)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000160",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-8(1)(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.4",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable the NTP Daemon",
+ "id": "xccdf_org.ssgproject.content_rule_service_ntp_enabled",
+ "desc": "Theservice can be enabled with the following command:",
+ "descriptions": [
+ {
+ "data": "Enabling theservice ensures that theservice will be running and that the system will synchronize its time to\nany servers specified. This is important whether the system is configured to be\na client (and synchronize only its own clock) or it is also acting as an NTP\nserver to other systems. Synchronizing time is essential for authentication\nservices such as Kerberos, but it is also important for maintaining accurate\nlogs and auditing possible security breaches.The NTP daemon offers all of the functionality of, which is now\ndeprecated.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Enable the NTP Daemon\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"ntp\",\n \"pre\": \"$ sudo systemctl enable ntp.service\",\n \"text\": \"Theservice can be enabled with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"NT012(R03)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000160\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-8(1)(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.4\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"ntp\",\n \"ntp\",\n \"ntpdate\"\n ],\n \"br\": [\n \"\",\n \"\"\n ],\n \"text\": \"Enabling theservice ensures that theservice will be running and that the system will synchronize its time to\\nany servers specified. This is important whether the system is configured to be\\na client (and synchronize only its own clock) or it is also acting as an NTP\\nserver to other systems. Synchronizing time is essential for authentication\\nservices such as Kerberos, but it is also important for maintaining accurate\\nlogs and auditing possible security breaches.The NTP daemon offers all of the functionality of, which is now\\ndeprecated.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" unmask 'ntp.service'\\n\\\"$SYSTEMCTL_EXEC\\\" start 'ntp.service'\\n\\\"$SYSTEMCTL_EXEC\\\" enable 'ntp.service'\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_ntp_enabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Enable service ntp\\n block:\\n\\n - name: Gather the package facts\\n package_facts:\\n manager: auto\\n\\n - name: Enable service ntp\\n service:\\n name: ntp\\n enabled: 'yes'\\n state: started\\n masked: 'no'\\n when:\\n - '\\\"ntp\\\" in ansible_facts.packages'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AU-8(1)(a)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4\\n - enable_strategy\\n - high_severity\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - service_ntp_enabled\",\n \"id\": \"service_ntp_enabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include enable_ntp\\n\\nclass enable_ntp {\\n service {'ntp':\\n enable => true,\\n ensure => 'running',\\n }\\n}\",\n \"id\": \"service_ntp_enabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[customizations.services]\\nenabled = [\\\"ntp\\\"]\",\n \"id\": \"service_ntp_enabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_ntp_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_ntp_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_service_ntp_enabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice can be enabled with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6 a.",
+ "AU-8 (1) a."
+ ],
+ "severity": "medium",
+ "description": "Theservice can be enabled with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_ntp",
+ "group_title": "Network Time Protocol",
+ "group_description": "The Network Time Protocol is used to manage the system\nclock over a network. Computer clocks are not very accurate, so\ntime will drift unpredictably on unmanaged systems. Central time\nprotocols can be used both to ensure that time is consistent among\na network of systems, and that their time is consistent with the\noutside world.If every system on a network reliably reports the same time, then it is much\neasier to correlate log messages in case of an attack. In addition, a number of\ncryptographic protocols (such as Kerberos) use timestamps to prevent certain\ntypes of attacks. If your network does not have synchronized time, these\nprotocols may be unreliable or even unusable.Depending on the specifics of the network, global time accuracy may be just as\nimportant as local synchronization, or not very important at all. If your\nnetwork is connected to the Internet, using a public timeserver (or one\nprovided by your enterprise) provides globally accurate timestamps which may be\nessential in investigating or responding to an attack which originated outside\nof your network.A typical network setup involves a small number of internal systems operating\nas NTP servers, and the remainder obtaining time information from those\ninternal servers.There is a choice between the daemonsand, which\nare available from the repositories in theandpackages respectively.The defaultdaemon can work well when external time references\nare only intermittently accesible, can perform well even when the network is\ncongested for longer periods of time, can usually synchronize the clock faster\nand with better time accuracy, and quickly adapts to sudden changes in the rate\nof the clock, for example, due to changes in the temperature of the crystal\noscillator.should be considered for all systems which are\nfrequently suspended or otherwise intermittently disconnected and reconnected\nto a network. Mobile and virtual systems for example.TheNTP daemon fully supports NTP protocol version 4 (RFC 5905),\nincluding broadcast, multicast, manycast clients and servers, and the orphan\nmode. It also supports extra authentication schemes based on public-key\ncryptography (RFC 5906). The NTP daemon () should be considered\nfor systems which are normally kept permanently on. Systems which are required\nto use broadcast or multicast IP, or to perform authentication of packets with\ntheprotocol, should consider using.Refer tofor more detailed comparison of features ofanddaemon features respectively, and for further guidance how to\nchoose between the two NTP daemons.The upstream manual pages atforandforprovide additional\ninformation on the capabilities and configuration of each of the NTP daemons.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_ntpd_enabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_ntpd_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-8(1)(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.4",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_ntpd_enabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-8(1)(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.4",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable the NTP Daemon",
+ "id": "xccdf_org.ssgproject.content_rule_service_ntpd_enabled",
+ "desc": "Theservice can be enabled with the following command:",
+ "descriptions": [
+ {
+ "data": "Enabling theservice ensures that theservice will be running and that the system will synchronize its time to\nany servers specified. This is important whether the system is configured to be\na client (and synchronize only its own clock) or it is also acting as an NTP\nserver to other systems. Synchronizing time is essential for authentication\nservices such as Kerberos, but it is also important for maintaining accurate\nlogs and auditing possible security breaches.The NTP daemon offers all of the functionality of, which is now\ndeprecated.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable the NTP Daemon\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"ntpd\",\n \"pre\": \"$ sudo systemctl enable ntpd.service\",\n \"text\": \"Theservice can be enabled with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-8(1)(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.4\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"ntpd\",\n \"ntpd\",\n \"ntpdate\"\n ],\n \"br\": [\n \"\",\n \"\"\n ],\n \"text\": \"Enabling theservice ensures that theservice will be running and that the system will synchronize its time to\\nany servers specified. This is important whether the system is configured to be\\na client (and synchronize only its own clock) or it is also acting as an NTP\\nserver to other systems. Synchronizing time is essential for authentication\\nservices such as Kerberos, but it is also important for maintaining accurate\\nlogs and auditing possible security breaches.The NTP daemon offers all of the functionality of, which is now\\ndeprecated.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#package_ntp\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'ntp' 2>/dev/null | grep -q installed; }; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" unmask 'ntpd.service'\\n\\\"$SYSTEMCTL_EXEC\\\" start 'ntpd.service'\\n\\\"$SYSTEMCTL_EXEC\\\" enable 'ntpd.service'\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_ntpd_enabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-53-AU-8(1)(a)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_ntpd_enabled\\n\\n- name: Enable service ntpd\\n block:\\n\\n - name: Gather the package facts\\n package_facts:\\n manager: auto\\n\\n - name: Enable service ntpd\\n service:\\n name: ntpd\\n enabled: 'yes'\\n state: started\\n masked: 'no'\\n when:\\n - '\\\"ntp\\\" in ansible_facts.packages'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - '\\\"ntp\\\" in ansible_facts.packages'\\n tags:\\n - NIST-800-53-AU-8(1)(a)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - service_ntpd_enabled\",\n \"id\": \"service_ntpd_enabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include enable_ntpd\\n\\nclass enable_ntpd {\\n service {'ntpd':\\n enable => true,\\n ensure => 'running',\\n }\\n}\",\n \"id\": \"service_ntpd_enabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[customizations.services]\\nenabled = [\\\"ntpd\\\"]\",\n \"id\": \"service_ntpd_enabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_ntpd_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_service_ntpd_enabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice can be enabled with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000160"
+ ],
+ "nist": [
+ "AU-8 (1)",
+ "CM-6 a.",
+ "AU-8 (1) a."
+ ],
+ "severity": "high",
+ "description": "Theservice can be enabled with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_ntp",
+ "group_title": "Network Time Protocol",
+ "group_description": "The Network Time Protocol is used to manage the system\nclock over a network. Computer clocks are not very accurate, so\ntime will drift unpredictably on unmanaged systems. Central time\nprotocols can be used both to ensure that time is consistent among\na network of systems, and that their time is consistent with the\noutside world.If every system on a network reliably reports the same time, then it is much\neasier to correlate log messages in case of an attack. In addition, a number of\ncryptographic protocols (such as Kerberos) use timestamps to prevent certain\ntypes of attacks. If your network does not have synchronized time, these\nprotocols may be unreliable or even unusable.Depending on the specifics of the network, global time accuracy may be just as\nimportant as local synchronization, or not very important at all. If your\nnetwork is connected to the Internet, using a public timeserver (or one\nprovided by your enterprise) provides globally accurate timestamps which may be\nessential in investigating or responding to an attack which originated outside\nof your network.A typical network setup involves a small number of internal systems operating\nas NTP servers, and the remainder obtaining time information from those\ninternal servers.There is a choice between the daemonsand, which\nare available from the repositories in theandpackages respectively.The defaultdaemon can work well when external time references\nare only intermittently accesible, can perform well even when the network is\ncongested for longer periods of time, can usually synchronize the clock faster\nand with better time accuracy, and quickly adapts to sudden changes in the rate\nof the clock, for example, due to changes in the temperature of the crystal\noscillator.should be considered for all systems which are\nfrequently suspended or otherwise intermittently disconnected and reconnected\nto a network. Mobile and virtual systems for example.TheNTP daemon fully supports NTP protocol version 4 (RFC 5905),\nincluding broadcast, multicast, manycast clients and servers, and the orphan\nmode. It also supports extra authentication schemes based on public-key\ncryptography (RFC 5906). The NTP daemon () should be considered\nfor systems which are normally kept permanently on. Systems which are required\nto use broadcast or multicast IP, or to perform authentication of packets with\ntheprotocol, should consider using.Refer tofor more detailed comparison of features ofanddaemon features respectively, and for further guidance how to\nchoose between the two NTP daemons.The upstream manual pages atforandforprovide additional\ninformation on the capabilities and configuration of each of the NTP daemons.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_timesyncd_enabled",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_timesyncd_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_timesyncd_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "NT012(R03)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000160",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-8(1)(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.4",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_timesyncd_enabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "NT012(R03)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000160",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-8(1)(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.4",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable systemd_timesyncd Service",
+ "id": "xccdf_org.ssgproject.content_rule_service_timesyncd_enabled",
+ "desc": "Theservice can be enabled with the following command:",
+ "descriptions": [
+ {
+ "data": "Enabling theservice ensures that this host\nuses the ntp protocol to fetch time data from a ntp server.\nSynchronizing time is essential for authentication\nservices such as Kerberos, but it is also important for maintaining accurate\nlogs and auditing possible security breaches.Additional information on Ubuntu network time protocol is\navailable at.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Enable systemd_timesyncd Service\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"systemd_timesyncd\",\n \"pre\": \"$ sudo systemctl enable systemd_timesyncd.service\",\n \"text\": \"Theservice can be enabled with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"NT012(R03)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000160\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-8(1)(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.4\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": \"systemd_timesyncd\",\n \"br\": [\n \"\",\n \"\"\n ],\n \"a\": {\n \"text\": \"https://help.ubuntu.com/lts/serverguide/NTP.html.en\",\n \"href\": \"https://help.ubuntu.com/lts/serverguide/NTP.html.en\"\n },\n \"text\": \"Enabling theservice ensures that this host\\nuses the ntp protocol to fetch time data from a ntp server.\\nSynchronizing time is essential for authentication\\nservices such as Kerberos, but it is also important for maintaining accurate\\nlogs and auditing possible security breaches.Additional information on Ubuntu network time protocol is\\navailable at.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" unmask 'systemd-timesyncd.service'\\n\\\"$SYSTEMCTL_EXEC\\\" start 'systemd-timesyncd.service'\\n\\\"$SYSTEMCTL_EXEC\\\" enable 'systemd-timesyncd.service'\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_timesyncd_enabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Enable service systemd-timesyncd\\n block:\\n\\n - name: Gather the package facts\\n package_facts:\\n manager: auto\\n\\n - name: Enable service systemd-timesyncd\\n service:\\n name: systemd-timesyncd\\n enabled: 'yes'\\n state: started\\n masked: 'no'\\n when:\\n - '\\\"systemd\\\" in ansible_facts.packages'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AU-8(1)(a)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4\\n - enable_strategy\\n - high_severity\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - service_timesyncd_enabled\",\n \"id\": \"service_timesyncd_enabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include enable_systemd-timesyncd\\n\\nclass enable_systemd-timesyncd {\\n service {'systemd-timesyncd':\\n enable => true,\\n ensure => 'running',\\n }\\n}\",\n \"id\": \"service_timesyncd_enabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[customizations.services]\\nenabled = [\\\"systemd-timesyncd\\\"]\",\n \"id\": \"service_timesyncd_enabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_timesyncd_enabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-service_timesyncd_enabled_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_service_timesyncd_enabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theservice can be enabled with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001891"
+ ],
+ "nist": [
+ "AU-8 (1) (a)"
+ ],
+ "severity": "medium",
+ "description": "Check that Chrony only has time sources configured with thedirective.",
+ "group_id": "xccdf_org.ssgproject.content_group_ntp",
+ "group_title": "Network Time Protocol",
+ "group_description": "The Network Time Protocol is used to manage the system\nclock over a network. Computer clocks are not very accurate, so\ntime will drift unpredictably on unmanaged systems. Central time\nprotocols can be used both to ensure that time is consistent among\na network of systems, and that their time is consistent with the\noutside world.If every system on a network reliably reports the same time, then it is much\neasier to correlate log messages in case of an attack. In addition, a number of\ncryptographic protocols (such as Kerberos) use timestamps to prevent certain\ntypes of attacks. If your network does not have synchronized time, these\nprotocols may be unreliable or even unusable.Depending on the specifics of the network, global time accuracy may be just as\nimportant as local synchronization, or not very important at all. If your\nnetwork is connected to the Internet, using a public timeserver (or one\nprovided by your enterprise) provides globally accurate timestamps which may be\nessential in investigating or responding to an attack which originated outside\nof your network.A typical network setup involves a small number of internal systems operating\nas NTP servers, and the remainder obtaining time information from those\ninternal servers.There is a choice between the daemonsand, which\nare available from the repositories in theandpackages respectively.The defaultdaemon can work well when external time references\nare only intermittently accesible, can perform well even when the network is\ncongested for longer periods of time, can usually synchronize the clock faster\nand with better time accuracy, and quickly adapts to sudden changes in the rate\nof the clock, for example, due to changes in the temperature of the crystal\noscillator.should be considered for all systems which are\nfrequently suspended or otherwise intermittently disconnected and reconnected\nto a network. Mobile and virtual systems for example.TheNTP daemon fully supports NTP protocol version 4 (RFC 5905),\nincluding broadcast, multicast, manycast clients and servers, and the orphan\nmode. It also supports extra authentication schemes based on public-key\ncryptography (RFC 5906). The NTP daemon () should be considered\nfor systems which are normally kept permanently on. Systems which are required\nto use broadcast or multicast IP, or to perform authentication of packets with\ntheprotocol, should consider using.Refer tofor more detailed comparison of features ofanddaemon features respectively, and for further guidance how to\nchoose between the two NTP daemons.The upstream manual pages atforandforprovide additional\ninformation on the capabilities and configuration of each of the NTP daemons.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_chronyd_server_directive",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-chronyd_server_directive:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-chronyd_server_directive_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-001891",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000355-GPOS-00143",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000356-GPOS-00144",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000359-GPOS-00146",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_chronyd_server_directive",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-001891",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000355-GPOS-00143",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000356-GPOS-00144",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000359-GPOS-00146",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Ensure Chrony is only configured with the server directive",
+ "id": "xccdf_org.ssgproject.content_rule_chronyd_server_directive",
+ "desc": "Check that Chrony only has time sources configured with thedirective.",
+ "descriptions": [
+ {
+ "data": "Depending on the infrastruture being used thedirective may not be supported.",
+ "label": "rationale"
+ },
+ {
+ "data": "This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure Chrony is only configured with the server directive\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"server\",\n \"text\": \"Check that Chrony only has time sources configured with thedirective.\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-001891\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000355-GPOS-00143\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000356-GPOS-00144\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000359-GPOS-00146\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": \"pool\",\n \"text\": \"Depending on the infrastruture being used thedirective may not be supported.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#package_chrony\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-chronyd_server_directive:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-chronyd_server_directive_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_chronyd_server_directive\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Check that Chrony only has time sources configured with thedirective.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000160",
+ "CCI-001891"
+ ],
+ "nist": [
+ "AU-8 (1)",
+ "AU-8 (1) (a)",
+ "CM-6 a.",
+ "AU-8 (1) a."
+ ],
+ "severity": "medium",
+ "description": "is a daemon which implements the Network Time Protocol (NTP). It is designed to\nsynchronize system clocks across a variety of systems and use a source that is highly\naccurate. More information oncan be found at.can be configured to be a client and/or a server.\nAdd or edit server or pool lines toas appropriate:Multiple servers may be configured.",
+ "group_id": "xccdf_org.ssgproject.content_group_ntp",
+ "group_title": "Network Time Protocol",
+ "group_description": "The Network Time Protocol is used to manage the system\nclock over a network. Computer clocks are not very accurate, so\ntime will drift unpredictably on unmanaged systems. Central time\nprotocols can be used both to ensure that time is consistent among\na network of systems, and that their time is consistent with the\noutside world.If every system on a network reliably reports the same time, then it is much\neasier to correlate log messages in case of an attack. In addition, a number of\ncryptographic protocols (such as Kerberos) use timestamps to prevent certain\ntypes of attacks. If your network does not have synchronized time, these\nprotocols may be unreliable or even unusable.Depending on the specifics of the network, global time accuracy may be just as\nimportant as local synchronization, or not very important at all. If your\nnetwork is connected to the Internet, using a public timeserver (or one\nprovided by your enterprise) provides globally accurate timestamps which may be\nessential in investigating or responding to an attack which originated outside\nof your network.A typical network setup involves a small number of internal systems operating\nas NTP servers, and the remainder obtaining time information from those\ninternal servers.There is a choice between the daemonsand, which\nare available from the repositories in theandpackages respectively.The defaultdaemon can work well when external time references\nare only intermittently accesible, can perform well even when the network is\ncongested for longer periods of time, can usually synchronize the clock faster\nand with better time accuracy, and quickly adapts to sudden changes in the rate\nof the clock, for example, due to changes in the temperature of the crystal\noscillator.should be considered for all systems which are\nfrequently suspended or otherwise intermittently disconnected and reconnected\nto a network. Mobile and virtual systems for example.TheNTP daemon fully supports NTP protocol version 4 (RFC 5905),\nincluding broadcast, multicast, manycast clients and servers, and the orphan\nmode. It also supports extra authentication schemes based on public-key\ncryptography (RFC 5906). The NTP daemon () should be considered\nfor systems which are normally kept permanently on. Systems which are required\nto use broadcast or multicast IP, or to perform authentication of packets with\ntheprotocol, should consider using.Refer tofor more detailed comparison of features ofanddaemon features respectively, and for further guidance how to\nchoose between the two NTP daemons.The upstream manual pages atforandforprovide additional\ninformation on the capabilities and configuration of each of the NTP daemons.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-chronyd_specify_remote_server:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R43)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "CCI-000160",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001891",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "0988",
+ "href": ""
+ },
+ {
+ "text": "1405",
+ "href": ""
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-8(1)(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "Req-10.4.3",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R43)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "CCI-000160",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001891",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "0988"
+ },
+ {
+ "ref": "1405"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-8(1)(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "Req-10.4.3",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "A remote time server for Chrony is configured",
+ "id": "xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server",
+ "desc": "is a daemon which implements the Network Time Protocol (NTP). It is designed to\nsynchronize system clocks across a variety of systems and use a source that is highly\naccurate. More information oncan be found at.can be configured to be a client and/or a server.\nAdd or edit server or pool lines toas appropriate:Multiple servers may be configured.",
+ "descriptions": [
+ {
+ "data": "Ifis in use on the system proper configuration is vital to ensuring time\nsynchronization is working properly.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"A remote time server for Chrony is configured\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"Chrony\",\n \"chrony\",\n \"Chrony\",\n \"/etc/chrony/chrony.conf\"\n ],\n \"a\": {\n \"text\": \"http://chrony.tuxfamily.org/\",\n \"href\": \"http://chrony.tuxfamily.org/\"\n },\n \"pre\": \"server \",\n \"text\": \"is a daemon which implements the Network Time Protocol (NTP). It is designed to\\nsynchronize system clocks across a variety of systems and use a source that is highly\\naccurate. More information oncan be found at.can be configured to be a client and/or a server.\\nAdd or edit server or pool lines toas appropriate:Multiple servers may be configured.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R43)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"CCI-000160\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001891\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"0988\",\n \"href\": \"\"\n },\n {\n \"text\": \"1405\",\n \"href\": \"\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-8(1)(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"Req-10.4.3\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": \"chrony\",\n \"text\": \"Ifis in use on the system proper configuration is vital to ensuring time\\nsynchronization is working properly.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#package_chrony\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_multiple_time_servers\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { dpkg-query --show --showformat='${db:Status-Status}\\\\n' 'chrony' 2>/dev/null | grep -q installed; }; then\\n\\nvar_multiple_time_servers=''\\n\\n\\nconfig_file=\\\"/etc/chrony/chrony.conf\\\"\\n\\nif ! grep -q '^[\\\\s]*(?:server|pool)[\\\\s]+[\\\\w]+' \\\"$config_file\\\" ; then\\n if ! grep -q '#[[:space:]]*server' \\\"$config_file\\\" ; then\\n for server in $(echo \\\"$var_multiple_time_servers\\\" | tr ',' '\\\\n') ; do\\n printf '\\\\nserver %s' \\\"$server\\\" >> \\\"$config_file\\\"\\n done\\n else\\n sed -i 's/#[ \\\\t]*server/server/g' \\\"$config_file\\\"\\n fi\\nfi\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"chronyd_specify_remote_server\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_multiple_time_servers\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: Gather the package facts\\n package_facts:\\n manager: auto\\n tags:\\n - NIST-800-53-AU-8(1)(a)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.3\\n - chronyd_specify_remote_server\\n - configure_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n- name: XCCDF Value var_multiple_time_servers # promote to variable\\n set_fact:\\n var_multiple_time_servers: !!strtags:\\n - always\\n\\n- name: Detect if chrony is already configured with pools or servers\\n find:\\n path: /etc\\n patterns: chrony.conf\\n contains: ^[\\\\s]*(?:server|pool)[\\\\s]+[\\\\w]+\\n register: chrony_servers\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - '\\\"chrony\\\" in ansible_facts.packages'\\n tags:\\n - NIST-800-53-AU-8(1)(a)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.3\\n - chronyd_specify_remote_server\\n - configure_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Configure remote time servers\\n lineinfile:\\n path: /etc/chrony/chrony.conf\\n line: server {{ item }}\\n state: present\\n create: true\\n loop: '{{ var_multiple_time_servers.split(\\\",\\\") }}'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - '\\\"chrony\\\" in ansible_facts.packages'\\n - chrony_servers.matched == 0\\n tags:\\n - NIST-800-53-AU-8(1)(a)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-10.4.3\\n - chronyd_specify_remote_server\\n - configure_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"chronyd_specify_remote_server\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-chronyd_specify_remote_server:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "is a daemon which implements the Network Time Protocol (NTP). It is designed to\nsynchronize system clocks across a variety of systems and use a source that is highly\naccurate. More information oncan be found at.can be configured to be a client and/or a server.\nAdd or edit server or pool lines toas appropriate:Multiple servers may be configured.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6 a.",
+ "AU-8 (1) a.",
+ "AU-8 (2)"
+ ],
+ "severity": "unknown",
+ "description": "Additional NTP servers can be specified for time synchronization\nin the file. To do so, add additional lines of the\nfollowing form, substituting the IP address or hostname of a remote NTP server for:",
+ "group_id": "xccdf_org.ssgproject.content_group_ntp",
+ "group_title": "Network Time Protocol",
+ "group_description": "The Network Time Protocol is used to manage the system\nclock over a network. Computer clocks are not very accurate, so\ntime will drift unpredictably on unmanaged systems. Central time\nprotocols can be used both to ensure that time is consistent among\na network of systems, and that their time is consistent with the\noutside world.If every system on a network reliably reports the same time, then it is much\neasier to correlate log messages in case of an attack. In addition, a number of\ncryptographic protocols (such as Kerberos) use timestamps to prevent certain\ntypes of attacks. If your network does not have synchronized time, these\nprotocols may be unreliable or even unusable.Depending on the specifics of the network, global time accuracy may be just as\nimportant as local synchronization, or not very important at all. If your\nnetwork is connected to the Internet, using a public timeserver (or one\nprovided by your enterprise) provides globally accurate timestamps which may be\nessential in investigating or responding to an attack which originated outside\nof your network.A typical network setup involves a small number of internal systems operating\nas NTP servers, and the remainder obtaining time information from those\ninternal servers.There is a choice between the daemonsand, which\nare available from the repositories in theandpackages respectively.The defaultdaemon can work well when external time references\nare only intermittently accesible, can perform well even when the network is\ncongested for longer periods of time, can usually synchronize the clock faster\nand with better time accuracy, and quickly adapts to sudden changes in the rate\nof the clock, for example, due to changes in the temperature of the crystal\noscillator.should be considered for all systems which are\nfrequently suspended or otherwise intermittently disconnected and reconnected\nto a network. Mobile and virtual systems for example.TheNTP daemon fully supports NTP protocol version 4 (RFC 5905),\nincluding broadcast, multicast, manycast clients and servers, and the orphan\nmode. It also supports extra authentication schemes based on public-key\ncryptography (RFC 5906). The NTP daemon () should be considered\nfor systems which are normally kept permanently on. Systems which are required\nto use broadcast or multicast IP, or to perform authentication of packets with\ntheprotocol, should consider using.Refer tofor more detailed comparison of features ofanddaemon features respectively, and for further guidance how to\nchoose between the two NTP daemons.The upstream manual pages atforandforprovide additional\ninformation on the capabilities and configuration of each of the NTP daemons.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-ntpd_specify_multiple_servers:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-8(1)(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-8(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.4.3",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-8(1)(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-8(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.4.3",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Specify Additional Remote NTP Servers",
+ "id": "xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers",
+ "desc": "Additional NTP servers can be specified for time synchronization\nin the file. To do so, add additional lines of the\nfollowing form, substituting the IP address or hostname of a remote NTP server for:",
+ "descriptions": [
+ {
+ "data": "oval:ssg-ntpd_specify_multiple_servers:def:1",
+ "label": "check"
+ },
+ {
+ "data": "Specifying additional NTP servers increases the availability of\naccurate time data, in the event that one of the specified servers becomes\nunavailable. This is typical for a system acting as an NTP server for\nother systems.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Specify Additional Remote NTP Servers\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ntp.conf\",\n \"em\": \"ntpserver\",\n \"pre\": {\n \"i\": \"ntpserver\",\n \"text\": \"server\"\n },\n \"text\": \"Additional NTP servers can be specified for time synchronization\\nin the file. To do so, add additional lines of the\\nfollowing form, substituting the IP address or hostname of a remote NTP server for:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-8(1)(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-8(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.4.3\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Specifying additional NTP servers increases the availability of\\naccurate time data, in the event that one of the specified servers becomes\\nunavailable. This is typical for a system acting as an NTP server for\\nother systems.\",\n \"lang\": \"en-US\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-ntpd_specify_multiple_servers:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Additional NTP servers can be specified for time synchronization\nin the file. To do so, add additional lines of the\nfollowing form, substituting the IP address or hostname of a remote NTP server for:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-6 a.",
+ "AU-8 (1) a."
+ ],
+ "severity": "medium",
+ "description": "To specify a remote NTP server for time synchronization, edit\nthe file. Add or correct the following lines,\nsubstituting the IP or hostname of a remote NTP server for:This instructs the NTP software to contact that remote server to obtain time\ndata.",
+ "group_id": "xccdf_org.ssgproject.content_group_ntp",
+ "group_title": "Network Time Protocol",
+ "group_description": "The Network Time Protocol is used to manage the system\nclock over a network. Computer clocks are not very accurate, so\ntime will drift unpredictably on unmanaged systems. Central time\nprotocols can be used both to ensure that time is consistent among\na network of systems, and that their time is consistent with the\noutside world.If every system on a network reliably reports the same time, then it is much\neasier to correlate log messages in case of an attack. In addition, a number of\ncryptographic protocols (such as Kerberos) use timestamps to prevent certain\ntypes of attacks. If your network does not have synchronized time, these\nprotocols may be unreliable or even unusable.Depending on the specifics of the network, global time accuracy may be just as\nimportant as local synchronization, or not very important at all. If your\nnetwork is connected to the Internet, using a public timeserver (or one\nprovided by your enterprise) provides globally accurate timestamps which may be\nessential in investigating or responding to an attack which originated outside\nof your network.A typical network setup involves a small number of internal systems operating\nas NTP servers, and the remainder obtaining time information from those\ninternal servers.There is a choice between the daemonsand, which\nare available from the repositories in theandpackages respectively.The defaultdaemon can work well when external time references\nare only intermittently accesible, can perform well even when the network is\ncongested for longer periods of time, can usually synchronize the clock faster\nand with better time accuracy, and quickly adapts to sudden changes in the rate\nof the clock, for example, due to changes in the temperature of the crystal\noscillator.should be considered for all systems which are\nfrequently suspended or otherwise intermittently disconnected and reconnected\nto a network. Mobile and virtual systems for example.TheNTP daemon fully supports NTP protocol version 4 (RFC 5905),\nincluding broadcast, multicast, manycast clients and servers, and the orphan\nmode. It also supports extra authentication schemes based on public-key\ncryptography (RFC 5906). The NTP daemon () should be considered\nfor systems which are normally kept permanently on. Systems which are required\nto use broadcast or multicast IP, or to perform authentication of packets with\ntheprotocol, should consider using.Refer tofor more detailed comparison of features ofanddaemon features respectively, and for further guidance how to\nchoose between the two NTP daemons.The upstream manual pages atforandforprovide additional\ninformation on the capabilities and configuration of each of the NTP daemons.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-ntpd_specify_remote_server:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-ntpd_specify_remote_server_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO11.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "MEA02.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "4.3.3.3.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.4.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.2.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.7.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AU-8(1)(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.PT-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-10.4.1",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "Req-10.4.3",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO11.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "MEA02.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "4.3.3.3.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.4.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.2.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.7.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AU-8(1)(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.PT-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-10.4.1",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "Req-10.4.3",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Specify a Remote NTP Server",
+ "id": "xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server",
+ "desc": "To specify a remote NTP server for time synchronization, edit\nthe file. Add or correct the following lines,\nsubstituting the IP or hostname of a remote NTP server for:This instructs the NTP software to contact that remote server to obtain time\ndata.",
+ "descriptions": [
+ {
+ "data": "Synchronizing with an NTP server makes it possible\nto collate system logs from multiple sources or correlate computer events with\nreal time events.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Specify a Remote NTP Server\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ntp.conf\",\n \"em\": \"ntpserver\",\n \"pre\": {\n \"i\": \"ntpserver\",\n \"text\": \"server\"\n },\n \"text\": \"To specify a remote NTP server for time synchronization, edit\\nthe file. Add or correct the following lines,\\nsubstituting the IP or hostname of a remote NTP server for:This instructs the NTP software to contact that remote server to obtain time\\ndata.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO11.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"MEA02.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"4.3.3.3.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.4.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.2.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.7.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AU-8(1)(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.PT-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-10.4.1\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"Req-10.4.3\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Synchronizing with an NTP server makes it possible\\nto collate system logs from multiple sources or correlate computer events with\\nreal time events.\",\n \"lang\": \"en-US\"\n },\n \"platform\": {\n \"idref\": \"#package_ntp\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-ntpd_specify_remote_server:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-ntpd_specify_remote_server_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To specify a remote NTP server for time synchronization, edit\nthe file. Add or correct the following lines,\nsubstituting the IP or hostname of a remote NTP server for:This instructs the NTP software to contact that remote server to obtain time\ndata.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-001436"
+ ],
+ "nist": [
+ "AC-17 (8)",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "high",
+ "description": "The filesand(in\neach user's home directory) list remote hosts and users that are trusted by the\nlocal system when using the rshd daemon.\nTo remove these files, run the following command to delete them from any\nlocation:",
+ "group_id": "xccdf_org.ssgproject.content_group_r_services",
+ "group_title": "Rlogin, Rsh, and Rexec",
+ "group_description": "The Berkeley r-commands are legacy services which\nallow cleartext remote access and have an insecure trust\nmodel.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_no_rsh_trust_files",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-no_rsh_trust_files:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_rsh_trust_files_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "no_rsh_trust_files",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-001436",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_no_rsh_trust_files",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-001436",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Remove Rsh Trust Files",
+ "id": "xccdf_org.ssgproject.content_rule_no_rsh_trust_files",
+ "desc": "The filesand(in\neach user's home directory) list remote hosts and users that are trusted by the\nlocal system when using the rshd daemon.\nTo remove these files, run the following command to delete them from any\nlocation:",
+ "descriptions": [
+ {
+ "data": "find /root -xdev -type f -name \".rhosts\" -exec rm -f {} \\;\nfind /home -maxdepth 2 -xdev -type f -name \".rhosts\" -exec rm -f {} \\;\nrm -f /etc/hosts.equiv",
+ "label": "fix"
+ },
+ {
+ "data": "This action is only meaningful ifsupport is permitted\nthrough PAM. Trust files are convenient, but when used in conjunction with\nthe R-services, they can allow unauthenticated access to a system.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Remove Rsh Trust Files\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/hosts.equiv\",\n \"~/.rhosts\"\n ],\n \"pre\": [\n \"$ sudo rm /etc/hosts.equiv\",\n \"$ rm ~/.rhosts\"\n ],\n \"text\": \"The filesand(in\\neach user's home directory) list remote hosts and users that are trusted by the\\nlocal system when using the rshd daemon.\\nTo remove these files, run the following command to delete them from any\\nlocation:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-001436\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": \".rhosts\",\n \"text\": \"This action is only meaningful ifsupport is permitted\\nthrough PAM. Trust files are convenient, but when used in conjunction with\\nthe R-services, they can allow unauthenticated access to a system.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"text\": \"find /root -xdev -type f -name \\\".rhosts\\\" -exec rm -f {} \\\\;\\nfind /home -maxdepth 2 -xdev -type f -name \\\".rhosts\\\" -exec rm -f {} \\\\;\\nrm -f /etc/hosts.equiv\",\n \"id\": \"no_rsh_trust_files\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-no_rsh_trust_files:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-no_rsh_trust_files_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_no_rsh_trust_files\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The filesand(in\neach user's home directory) list remote hosts and users that are trusted by the\nlocal system when using the rshd daemon.\nTo remove these files, run the following command to delete them from any\nlocation:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000879",
+ "CCI-001133",
+ "CCI-002361"
+ ],
+ "nist": [
+ "MA-4 e",
+ "SC-10",
+ "AC-12",
+ "AC-2 (5)",
+ "AC-17 a.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "The SSH server sends at mostmessages\nduring a SSH session and waits for a response from the SSH client.\nThe optionconfigures timeout after\neachmessage. If the SSH server does not\nreceive a response from the client, then the connection is considered unresponsive\nand terminated.\n\nTo ensure the SSH timeout occurs precisely when theis set, set theto\nvalue ofin:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_keepalive_0:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_keepalive_0_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.6",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.11",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000879",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001133",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002361",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-2(5)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-10",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.1.8",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000126-GPOS-00066",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000163-GPOS-00072",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000279-GPOS-00109",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-VMM-002000",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.6",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.11",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000879",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001133",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002361",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-2(5)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-10",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.1.8",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000126-GPOS-00066",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000163-GPOS-00072",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000279-GPOS-00109",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-VMM-002000"
+ }
+ ],
+ "source_location": {},
+ "title": "Set SSH Client Alive Count Max to zero",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0",
+ "desc": "The SSH server sends at mostmessages\nduring a SSH session and waits for a response from the SSH client.\nThe optionconfigures timeout after\neachmessage. If the SSH server does not\nreceive a response from the client, then the connection is considered unresponsive\nand terminated.\n\nTo ensure the SSH timeout occurs precisely when theis set, set theto\nvalue ofin:",
+ "descriptions": [
+ {
+ "data": "This ensures a user login will be terminated as soon as theis reached.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Set SSH Client Alive Count Max to zero\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"ClientAliveCountMax\",\n \"ClientAliveInterval\",\n \"ClientAliveCountMax\",\n \"ClientAliveInterval\",\n \"ClientAliveCountMax\",\n \"0\",\n \"/etc/ssh/sshd_config\"\n ],\n \"text\": \"The SSH server sends at mostmessages\\nduring a SSH session and waits for a response from the SSH client.\\nThe optionconfigures timeout after\\neachmessage. If the SSH server does not\\nreceive a response from the client, then the connection is considered unresponsive\\nand terminated.\\n\\nTo ensure the SSH timeout occurs precisely when theis set, set theto\\nvalue ofin:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.6\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.11\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000879\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001133\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002361\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-2(5)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-10\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.1.8\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000126-GPOS-00066\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000163-GPOS-00072\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000279-GPOS-00109\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-VMM-002000\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"code\": \"ClientAliveInterval\",\n \"text\": \"This ensures a user login will be terminated as soon as theis reached.\",\n \"lang\": \"en-US\"\n },\n \"requires\": {\n \"idref\": \"xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*ClientAliveCountMax\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"ClientAliveCountMax 0\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"ClientAliveCountMax 0\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_set_keepalive_0\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Set SSH Client Alive Count Max to zero\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*ClientAliveCountMax\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*ClientAliveCountMax\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*ClientAliveCountMax\\\\s+\\n line: ClientAliveCountMax 0\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.5.6\\n - NIST-800-171-3.1.11\\n - NIST-800-53-AC-12\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-AC-2(5)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-SC-10\\n - PCI-DSS-Req-8.1.8\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_set_keepalive_0\",\n \"id\": \"sshd_set_keepalive_0\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_keepalive_0:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_keepalive_0_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The SSH server sends at mostmessages\nduring a SSH session and waits for a response from the SSH client.\nThe optionconfigures timeout after\neachmessage. If the SSH server does not\nreceive a response from the client, then the connection is considered unresponsive\nand terminated.\n\nTo ensure the SSH timeout occurs precisely when theis set, set theto\nvalue ofin:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000879",
+ "CCI-001133",
+ "CCI-002361"
+ ],
+ "nist": [
+ "MA-4 e",
+ "SC-10",
+ "AC-12",
+ "AC-2 (5)",
+ "AC-17 a.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "The SSH server sends at mostmessages\nduring a SSH session and waits for a response from the SSH client.\nThe optionconfigures timeout after\neachmessage. If the SSH server does not\nreceive a response from the client, then the connection is considered unresponsive\nand terminated.\nFor SSH earlier than v8.2, avalue ofcauses a timeout precisely when theis set.\nStarting with v8.2, a value ofdisables the timeout functionality\ncompletely. If the option is set to a number greater than, then\nthe session will be disconnected afterseconds without receiving\na keep alive message.",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_set_keepalive",
+ "check": "[\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_sshd_set_keepalive:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sshd_set_keepalive\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_keepalive:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R29)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.6",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.11",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000879",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001133",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002361",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-2(5)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-10",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.1.8",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000163-GPOS-00072",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000279-GPOS-00109",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-VMM-002000",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_set_keepalive",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R29)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.6",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.11",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000879",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001133",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002361",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-2(5)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-10",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.1.8",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000163-GPOS-00072",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000279-GPOS-00109",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-VMM-002000"
+ }
+ ],
+ "source_location": {},
+ "title": "Set SSH Client Alive Count Max",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_set_keepalive",
+ "desc": "The SSH server sends at mostmessages\nduring a SSH session and waits for a response from the SSH client.\nThe optionconfigures timeout after\neachmessage. If the SSH server does not\nreceive a response from the client, then the connection is considered unresponsive\nand terminated.\nFor SSH earlier than v8.2, avalue ofcauses a timeout precisely when theis set.\nStarting with v8.2, a value ofdisables the timeout functionality\ncompletely. If the option is set to a number greater than, then\nthe session will be disconnected afterseconds without receiving\na keep alive message.",
+ "descriptions": [
+ {
+ "data": "This ensures a user login will be terminated as soon as theis reached.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set SSH Client Alive Count Max\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"ClientAliveCountMax\",\n \"ClientAliveInterval\",\n \"ClientAliveCountMax\",\n \"ClientAliveCountMax\",\n \"0\",\n \"ClientAliveInterval\",\n \"0\",\n \"0\",\n \"ClientAliveInterval * ClientAliveCountMax\"\n ],\n \"text\": \"The SSH server sends at mostmessages\\nduring a SSH session and waits for a response from the SSH client.\\nThe optionconfigures timeout after\\neachmessage. If the SSH server does not\\nreceive a response from the client, then the connection is considered unresponsive\\nand terminated.\\nFor SSH earlier than v8.2, avalue ofcauses a timeout precisely when theis set.\\nStarting with v8.2, a value ofdisables the timeout functionality\\ncompletely. If the option is set to a number greater than, then\\nthe session will be disconnected afterseconds without receiving\\na keep alive message.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R29)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.6\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.11\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000879\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001133\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002361\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-2(5)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-10\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.1.8\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000163-GPOS-00072\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000279-GPOS-00109\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-VMM-002000\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"code\": \"ClientAliveInterval\",\n \"text\": \"This ensures a user login will be terminated as soon as theis reached.\",\n \"lang\": \"en-US\"\n },\n \"requires\": {\n \"idref\": \"xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_set_keepalive\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nvar_sshd_set_keepalive=''\\n\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*ClientAliveCountMax\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"ClientAliveCountMax $var_sshd_set_keepalive\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"ClientAliveCountMax $var_sshd_set_keepalive\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_set_keepalive\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_set_keepalive\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: XCCDF Value var_sshd_set_keepalive # promote to variable\\n set_fact:\\n var_sshd_set_keepalive: !!strtags:\\n - always\\n\\n- name: Set SSH Client Alive Count Max\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*ClientAliveCountMax\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*ClientAliveCountMax\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*ClientAliveCountMax\\\\s+\\n line: ClientAliveCountMax {{ var_sshd_set_keepalive }}\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.5.6\\n - NIST-800-171-3.1.11\\n - NIST-800-53-AC-12\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-AC-2(5)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-SC-10\\n - PCI-DSS-Req-8.1.8\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_set_keepalive\",\n \"id\": \"sshd_set_keepalive\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_sshd_set_keepalive:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sshd_set_keepalive\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_keepalive:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_set_keepalive\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The SSH server sends at mostmessages\nduring a SSH session and waits for a response from the SSH client.\nThe optionconfigures timeout after\neachmessage. If the SSH server does not\nreceive a response from the client, then the connection is considered unresponsive\nand terminated.\nFor SSH earlier than v8.2, avalue ofcauses a timeout precisely when theis set.\nStarting with v8.2, a value ofdisables the timeout functionality\ncompletely. If the option is set to a number greater than, then\nthe session will be disconnected afterseconds without receiving\na keep alive message.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000879",
+ "CCI-001133",
+ "CCI-002361"
+ ],
+ "nist": [
+ "MA-4 e",
+ "SC-10",
+ "AC-12",
+ "CM-6 a.",
+ "AC-17 a.",
+ "AC-2 (5)"
+ ],
+ "severity": "medium",
+ "description": "SSH allows administrators to set a network responsiveness timeout interval.\nAfter this interval has passed, the unresponsive client will be automatically logged out.To set this timeout interval, edit the following line inas\nfollows:The timeoutis given in seconds. For example, have a timeout\nof 10 minutes, setto 600.If a shorter timeout has already been set for the login shell, that value will\npreempt any SSH setting made in. Keep in mind that\nsome processes may stop SSH from correctly detecting that the user is idle.",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout",
+ "check": "[\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_sshd_set_keepalive:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sshd_set_keepalive\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_idle_timeout_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_idle_timeout_value\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_idle_timeout:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "sshd_set_idle_timeout",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R29)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "7",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.6",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI03.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.11",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000879",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001133",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002361",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 6.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-2(5)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-10",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.CM-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "DE.CM-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-8.1.8",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000126-GPOS-00066",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000163-GPOS-00072",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000279-GPOS-00109",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000395-GPOS-00175",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-VMM-002000",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R29)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "7",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.6",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI03.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.11",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000879",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001133",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002361",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 6.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-2(5)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-10",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.CM-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "DE.CM-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-8.1.8",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000126-GPOS-00066",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000163-GPOS-00072",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000279-GPOS-00109",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000395-GPOS-00175",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-VMM-002000"
+ }
+ ],
+ "source_location": {},
+ "title": "Set SSH Client Alive Interval",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout",
+ "desc": "SSH allows administrators to set a network responsiveness timeout interval.\nAfter this interval has passed, the unresponsive client will be automatically logged out.To set this timeout interval, edit the following line inas\nfollows:The timeoutis given in seconds. For example, have a timeout\nof 10 minutes, setto 600.If a shorter timeout has already been set for the login shell, that value will\npreempt any SSH setting made in. Keep in mind that\nsome processes may stop SSH from correctly detecting that the user is idle.",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nsshd_idle_timeout_value=''\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*ClientAliveInterval\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\n# make sure file has newline at the end\nsed -i -e '$a\\' \"/etc/ssh/sshd_config\"\n\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"ClientAliveInterval $sshd_idle_timeout_value\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"ClientAliveInterval $sshd_idle_timeout_value\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Terminating an idle ssh session within a short time period reduces the window of\nopportunity for unauthorized personnel to take control of a management session\nenabled on the console or console port that has been let unattended.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Set SSH Client Alive Interval\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\",\n \"\",\n \"\",\n \"\",\n \"\"\n ],\n \"code\": [\n \"/etc/ssh/sshd_config\",\n \"/etc/ssh/sshd_config\"\n ],\n \"pre\": {\n \"b\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sshd_idle_timeout_value\",\n \"use\": \"legacy\"\n }\n },\n \"text\": \"ClientAliveInterval\"\n },\n \"b\": [\n \"interval\",\n \"interval\"\n ],\n \"text\": \"SSH allows administrators to set a network responsiveness timeout interval.\\nAfter this interval has passed, the unresponsive client will be automatically logged out.To set this timeout interval, edit the following line inas\\nfollows:The timeoutis given in seconds. For example, have a timeout\\nof 10 minutes, setto 600.If a shorter timeout has already been set for the login shell, that value will\\npreempt any SSH setting made in. Keep in mind that\\nsome processes may stop SSH from correctly detecting that the user is idle.\",\n \"lang\": \"en-US\"\n },\n \"warning\": [\n {\n \"text\": \"SSH disconnecting unresponsive clients will not have desired effect without also\\nconfiguring ClientAliveCountMax in the SSH service configuration.\",\n \"lang\": \"en-US\",\n \"category\": \"dependency\"\n },\n {\n \"ul\": {\n \"li\": [\n \"Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.\",\n {\n \"code\": [\n \"scp\",\n \"sftp\"\n ],\n \"text\": \"Anyoractivity by the same user to the host resets the timeout.\"\n }\n ]\n },\n \"text\": \"Following conditions may prevent the SSH session to time out:\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n }\n ],\n \"reference\": [\n {\n \"text\": \"BP28(R29)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"7\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.6\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI03.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.11\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000879\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001133\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002361\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 6.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-2(5)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-10\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.CM-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"DE.CM-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-8.1.8\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000126-GPOS-00066\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000163-GPOS-00072\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000279-GPOS-00109\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000395-GPOS-00175\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-VMM-002000\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Terminating an idle ssh session within a short time period reduces the window of\\nopportunity for unauthorized personnel to take control of a management session\\nenabled on the console or console port that has been let unattended.\",\n \"lang\": \"en-US\"\n },\n \"requires\": {\n \"idref\": \"xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sshd_idle_timeout_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nsshd_idle_timeout_value=''\\n\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*ClientAliveInterval\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"ClientAliveInterval $sshd_idle_timeout_value\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"ClientAliveInterval $sshd_idle_timeout_value\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_set_idle_timeout\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_sshd_set_keepalive:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sshd_set_keepalive\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_idle_timeout_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_idle_timeout_value\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_idle_timeout:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "SSH allows administrators to set a network responsiveness timeout interval.\nAfter this interval has passed, the unresponsive client will be automatically logged out.To set this timeout interval, edit the following line inas\nfollows:The timeoutis given in seconds. For example, have a timeout\nof 10 minutes, setto 600.If a shorter timeout has already been set for the login shell, that value will\npreempt any SSH setting made in. Keep in mind that\nsome processes may stop SSH from correctly detecting that the user is idle.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AC-3",
+ "AC-17 a.",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "SSH's cryptographic host-based authentication is\nmore secure thanauthentication. However, it is\nnot recommended that hosts unilaterally trust one another, even\nwithin an organization.The default SSH configuration disables host-based authentication. The appropriate\nconfiguration is used if no value is set for.To explicitly disable host-based authentication, add or correct the\nfollowing line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_disable_host_auth",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-disable_host_auth:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-disable_host_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.6",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0421",
+ "href": ""
+ },
+ {
+ "text": "0422",
+ "href": ""
+ },
+ {
+ "text": "0431",
+ "href": ""
+ },
+ {
+ "text": "0974",
+ "href": ""
+ },
+ {
+ "text": "1173",
+ "href": ""
+ },
+ {
+ "text": "1401",
+ "href": ""
+ },
+ {
+ "text": "1504",
+ "href": ""
+ },
+ {
+ "text": "1505",
+ "href": ""
+ },
+ {
+ "text": "1546",
+ "href": ""
+ },
+ {
+ "text": "1557",
+ "href": ""
+ },
+ {
+ "text": "1558",
+ "href": ""
+ },
+ {
+ "text": "1559",
+ "href": ""
+ },
+ {
+ "text": "1560",
+ "href": ""
+ },
+ {
+ "text": "1561",
+ "href": ""
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-3",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FIA_UAU.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00229",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-VMM-002000",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_disable_host_auth",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.6",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0421"
+ },
+ {
+ "ref": "0422"
+ },
+ {
+ "ref": "0431"
+ },
+ {
+ "ref": "0974"
+ },
+ {
+ "ref": "1173"
+ },
+ {
+ "ref": "1401"
+ },
+ {
+ "ref": "1504"
+ },
+ {
+ "ref": "1505"
+ },
+ {
+ "ref": "1546"
+ },
+ {
+ "ref": "1557"
+ },
+ {
+ "ref": "1558"
+ },
+ {
+ "ref": "1559"
+ },
+ {
+ "ref": "1560"
+ },
+ {
+ "ref": "1561"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-3",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FIA_UAU.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00229",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-VMM-002000"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable Host-Based Authentication",
+ "id": "xccdf_org.ssgproject.content_rule_disable_host_auth",
+ "desc": "SSH's cryptographic host-based authentication is\nmore secure thanauthentication. However, it is\nnot recommended that hosts unilaterally trust one another, even\nwithin an organization.The default SSH configuration disables host-based authentication. The appropriate\nconfiguration is used if no value is set for.To explicitly disable host-based authentication, add or correct the\nfollowing line in:",
+ "descriptions": [
+ {
+ "data": "SSH trust relationships mean a compromise on one host\ncan allow an attacker to move trivially to other hosts.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Host-Based Authentication\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \".rhosts\",\n \"HostbasedAuthentication\",\n \"/etc/ssh/sshd_config\"\n ],\n \"br\": [\n \"\",\n \"\"\n ],\n \"pre\": \"HostbasedAuthentication no\",\n \"text\": \"SSH's cryptographic host-based authentication is\\nmore secure thanauthentication. However, it is\\nnot recommended that hosts unilaterally trust one another, even\\nwithin an organization.The default SSH configuration disables host-based authentication. The appropriate\\nconfiguration is used if no value is set for.To explicitly disable host-based authentication, add or correct the\\nfollowing line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.6\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0421\",\n \"href\": \"\"\n },\n {\n \"text\": \"0422\",\n \"href\": \"\"\n },\n {\n \"text\": \"0431\",\n \"href\": \"\"\n },\n {\n \"text\": \"0974\",\n \"href\": \"\"\n },\n {\n \"text\": \"1173\",\n \"href\": \"\"\n },\n {\n \"text\": \"1401\",\n \"href\": \"\"\n },\n {\n \"text\": \"1504\",\n \"href\": \"\"\n },\n {\n \"text\": \"1505\",\n \"href\": \"\"\n },\n {\n \"text\": \"1546\",\n \"href\": \"\"\n },\n {\n \"text\": \"1557\",\n \"href\": \"\"\n },\n {\n \"text\": \"1558\",\n \"href\": \"\"\n },\n {\n \"text\": \"1559\",\n \"href\": \"\"\n },\n {\n \"text\": \"1560\",\n \"href\": \"\"\n },\n {\n \"text\": \"1561\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-3\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FIA_UAU.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00229\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-VMM-002000\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"SSH trust relationships mean a compromise on one host\\ncan allow an attacker to move trivially to other hosts.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*HostbasedAuthentication\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"HostbasedAuthentication no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"HostbasedAuthentication no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"disable_host_auth\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Disable Host-Based Authentication\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*HostbasedAuthentication\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*HostbasedAuthentication\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*HostbasedAuthentication\\\\s+\\n line: HostbasedAuthentication no\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.5.6\\n - NIST-800-171-3.1.12\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-AC-3\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - disable_host_auth\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\",\n \"id\": \"disable_host_auth\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-disable_host_auth:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-disable_host_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_disable_host_auth\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "SSH's cryptographic host-based authentication is\nmore secure thanauthentication. However, it is\nnot recommended that hosts unilaterally trust one another, even\nwithin an organization.The default SSH configuration disables host-based authentication. The appropriate\nconfiguration is used if no value is set for.To explicitly disable host-based authentication, add or correct the\nfollowing line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000197",
+ "CCI-000366"
+ ],
+ "nist": [
+ "IA-5 (1) (c)",
+ "CM-6 b",
+ "CM-6 a.",
+ "AC-17 a.",
+ "AC-17 (2)",
+ "IA-5 (1) c.",
+ "SC-13",
+ "MA-4 (6)"
+ ],
+ "severity": "high",
+ "description": "Only SSH protocol version 2 connections should be\npermitted. The default setting inis correct, and can be\nverified by ensuring that the following\nline appears:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_allow_only_protocol2:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "NT007(R1)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "8",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.6",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO13.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS01.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.13",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.5.4",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000197",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0487",
+ "href": ""
+ },
+ {
+ "text": "1449",
+ "href": ""
+ },
+ {
+ "text": "1506",
+ "href": ""
+ },
+ {
+ "text": "A.11.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R4.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R7.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "IA-5(1)(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SC-13",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "MA-4(6)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000074-GPOS-00042",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000033-VMM-000140",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "NT007(R1)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "8",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.6",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO13.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS01.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.13",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.5.4",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000197",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0487"
+ },
+ {
+ "ref": "1449"
+ },
+ {
+ "ref": "1506"
+ },
+ {
+ "ref": "A.11.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R4.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R7.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "IA-5(1)(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SC-13",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "MA-4(6)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000074-GPOS-00042",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000033-VMM-000140"
+ }
+ ],
+ "source_location": {},
+ "title": "Allow Only SSH Protocol 2",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2",
+ "desc": "Only SSH protocol version 2 connections should be\npermitted. The default setting inis correct, and can be\nverified by ensuring that the following\nline appears:",
+ "descriptions": [
+ {
+ "data": "SSH protocol version 1 is an insecure implementation of the SSH protocol and\nhas many well-known vulnerability exploits. Exploits of the SSH daemon could provide\nimmediate root access to the system.",
+ "label": "rationale"
+ },
+ {
+ "data": "As ofversionand above, the only protocol\nsupported is version 2, and lineinis not necessary.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Allow Only SSH Protocol 2\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ssh/sshd_config\",\n \"pre\": \"Protocol 2\",\n \"text\": \"Only SSH protocol version 2 connections should be\\npermitted. The default setting inis correct, and can be\\nverified by ensuring that the following\\nline appears:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"code\": [\n \"openssh-server\",\n \"7.4\",\n \"/etc/ssh/sshd_config\"\n ],\n \"pre\": \"Protocol 2\",\n \"text\": \"As ofversionand above, the only protocol\\nsupported is version 2, and lineinis not necessary.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"NT007(R1)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"8\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.6\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO13.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS01.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.13\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.5.4\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000197\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0487\",\n \"href\": \"\"\n },\n {\n \"text\": \"1449\",\n \"href\": \"\"\n },\n {\n \"text\": \"1506\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.11.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R4.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R7.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"IA-5(1)(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SC-13\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"MA-4(6)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000074-GPOS-00042\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000033-VMM-000140\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"SSH protocol version 1 is an insecure implementation of the SSH protocol and\\nhas many well-known vulnerability exploits. Exploits of the SSH daemon could provide\\nimmediate root access to the system.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_allow_only_protocol2:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Only SSH protocol version 2 connections should be\npermitted. The default setting inis correct, and can be\nverified by ensuring that the following\nline appears:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AC-17 a.",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Compression is useful for slow network connections over long\ndistances but can cause performance issues on local LANs. If use of compression\nis required, it should be enabled only after a user has authenticated; otherwise,\nit should be disabled. To disable compression or delay compression until after\na user has successfully authenticated, add or correct the following line in thefile:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_disable_compression",
+ "check": "[\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_sshd_disable_compression:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sshd_disable_compression\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_compression:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_compression_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-VMM-002000",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_disable_compression",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-VMM-002000"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable Compression Or Set Compression to delayed",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_disable_compression",
+ "desc": "Compression is useful for slow network connections over long\ndistances but can cause performance issues on local LANs. If use of compression\nis required, it should be enabled only after a user has authenticated; otherwise,\nit should be disabled. To disable compression or delay compression until after\na user has successfully authenticated, add or correct the following line in thefile:",
+ "descriptions": [
+ {
+ "data": "If compression is allowed in an SSH connection prior to authentication,\nvulnerabilities in the compression software could result in compromise of the\nsystem from an unauthenticated connection, potentially with root privileges.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Compression Or Set Compression to delayed\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ssh/sshd_config\",\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_disable_compression\",\n \"use\": \"legacy\"\n },\n \"text\": \"Compression\"\n },\n \"text\": \"Compression is useful for slow network connections over long\\ndistances but can cause performance issues on local LANs. If use of compression\\nis required, it should be enabled only after a user has authenticated; otherwise,\\nit should be disabled. To disable compression or delay compression until after\\na user has successfully authenticated, add or correct the following line in thefile:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-VMM-002000\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"If compression is allowed in an SSH connection prior to authentication,\\nvulnerabilities in the compression software could result in compromise of the\\nsystem from an unauthenticated connection, potentially with root privileges.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_sshd_disable_compression:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sshd_disable_compression\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_compression:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_compression_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_disable_compression\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Compression is useful for slow network connections over long\ndistances but can cause performance issues on local LANs. If use of compression\nis required, it should be enabled only after a user has authenticated; otherwise,\nit should be disabled. To disable compression or delay compression until after\na user has successfully authenticated, add or correct the following line in thefile:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366",
+ "CCI-000766"
+ ],
+ "nist": [
+ "CM-6 b",
+ "IA-2 (2)",
+ "AC-17 a.",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "high",
+ "description": "Disallow SSH login with empty passwords.\nThe default SSH configuration disables logins with empty passwords. The appropriate\nconfiguration is used if no value is set for.To explicitly disallow SSH login from accounts with empty passwords,\nadd or correct the following line in:Any accounts with empty passwords should be disabled immediately, and PAM configuration\nshould prevent users from being able to assign themselves empty passwords.",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_empty_passwords:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "NT007(R17)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.6",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.1.5",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000766",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FIA_UAU.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-2.2.6",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000106-GPOS-00053",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00229",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-VMM-002000",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "NT007(R17)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.6",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.1.5",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000766",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FIA_UAU.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-2.2.6",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000106-GPOS-00053",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00229",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-VMM-002000"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable SSH Access via Empty Passwords",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords",
+ "desc": "Disallow SSH login with empty passwords.\nThe default SSH configuration disables logins with empty passwords. The appropriate\nconfiguration is used if no value is set for.To explicitly disallow SSH login from accounts with empty passwords,\nadd or correct the following line in:Any accounts with empty passwords should be disabled immediately, and PAM configuration\nshould prevent users from being able to assign themselves empty passwords.",
+ "descriptions": [
+ {
+ "data": "Configuring this setting for the SSH daemon provides additional assurance\nthat remote login via SSH will require a password, even in the event of\nmisconfiguration elsewhere.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable SSH Access via Empty Passwords\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"PermitEmptyPasswords\",\n \"/etc/ssh/sshd_config\"\n ],\n \"br\": [\n \"\",\n \"\"\n ],\n \"pre\": \"PermitEmptyPasswords no\",\n \"text\": \"Disallow SSH login with empty passwords.\\nThe default SSH configuration disables logins with empty passwords. The appropriate\\nconfiguration is used if no value is set for.To explicitly disallow SSH login from accounts with empty passwords,\\nadd or correct the following line in:Any accounts with empty passwords should be disabled immediately, and PAM configuration\\nshould prevent users from being able to assign themselves empty passwords.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"NT007(R17)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.6\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.1.5\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000766\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FIA_UAU.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-2.2.6\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000106-GPOS-00053\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00229\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-VMM-002000\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Configuring this setting for the SSH daemon provides additional assurance\\nthat remote login via SSH will require a password, even in the event of\\nmisconfiguration elsewhere.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*PermitEmptyPasswords\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"PermitEmptyPasswords no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"PermitEmptyPasswords no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_disable_empty_passwords\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Disable SSH Access via Empty Passwords\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PermitEmptyPasswords\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PermitEmptyPasswords\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*PermitEmptyPasswords\\\\s+\\n line: PermitEmptyPasswords no\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.5.6\\n - NIST-800-171-3.1.1\\n - NIST-800-171-3.1.5\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - PCI-DSS-Req-2.2.6\\n - high_severity\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_disable_empty_passwords\",\n \"id\": \"sshd_disable_empty_passwords\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_empty_passwords:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Disallow SSH login with empty passwords.\nThe default SSH configuration disables logins with empty passwords. The appropriate\nconfiguration is used if no value is set for.To explicitly disallow SSH login from accounts with empty passwords,\nadd or correct the following line in:Any accounts with empty passwords should be disabled immediately, and PAM configuration\nshould prevent users from being able to assign themselves empty passwords.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000318",
+ "CCI-000368",
+ "CCI-001812",
+ "CCI-001813",
+ "CCI-001814",
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-3 f",
+ "CM-6 c",
+ "CM-11 (2)",
+ "CM-5 (1) (a)",
+ "CM-5 (1)",
+ "CM-6 b",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a.",
+ "AC-17 a."
+ ],
+ "severity": "medium",
+ "description": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms like GSSAPI.The default SSH configuration disallows authentications based on GSSAPI. The appropriate\nconfiguration is used if no value is set for.To explicitly disable GSSAPI authentication, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_gssapi_auth:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_gssapi_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000318",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000368",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001812",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001813",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001814",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0418",
+ "href": ""
+ },
+ {
+ "text": "1055",
+ "href": ""
+ },
+ {
+ "text": "1402",
+ "href": ""
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FTP_ITC_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "FCS_SSH_EXT.1.2",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000364-GPOS-00151",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-VMM-002000",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000318",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000368",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001812",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001813",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001814",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0418"
+ },
+ {
+ "ref": "1055"
+ },
+ {
+ "ref": "1402"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FTP_ITC_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "FCS_SSH_EXT.1.2",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000364-GPOS-00151",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-VMM-002000"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable GSSAPI Authentication",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth",
+ "desc": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms like GSSAPI.The default SSH configuration disallows authentications based on GSSAPI. The appropriate\nconfiguration is used if no value is set for.To explicitly disable GSSAPI authentication, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "GSSAPI authentication is used to provide additional authentication mechanisms to\napplications. Allowing GSSAPI authentication through SSH exposes the system's\nGSSAPI to remote hosts, increasing the attack surface of the system.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable GSSAPI Authentication\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"code\": [\n \"GSSAPIAuthentication\",\n \"/etc/ssh/sshd_config\"\n ],\n \"pre\": \"GSSAPIAuthentication no\",\n \"text\": \"Unless needed, SSH should not permit extraneous or unnecessary\\nauthentication mechanisms like GSSAPI.The default SSH configuration disallows authentications based on GSSAPI. The appropriate\\nconfiguration is used if no value is set for.To explicitly disable GSSAPI authentication, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000318\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000368\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001812\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001813\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001814\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0418\",\n \"href\": \"\"\n },\n {\n \"text\": \"1055\",\n \"href\": \"\"\n },\n {\n \"text\": \"1402\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FTP_ITC_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"FCS_SSH_EXT.1.2\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000364-GPOS-00151\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-VMM-002000\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"GSSAPI authentication is used to provide additional authentication mechanisms to\\napplications. Allowing GSSAPI authentication through SSH exposes the system's\\nGSSAPI to remote hosts, increasing the attack surface of the system.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*GSSAPIAuthentication\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"GSSAPIAuthentication no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"GSSAPIAuthentication no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_disable_gssapi_auth\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Disable GSSAPI Authentication\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*GSSAPIAuthentication\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*GSSAPIAuthentication\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*GSSAPIAuthentication\\\\s+\\n line: GSSAPIAuthentication no\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.12\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_disable_gssapi_auth\",\n \"id\": \"sshd_disable_gssapi_auth\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_gssapi_auth:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_gssapi_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms like GSSAPI.The default SSH configuration disallows authentications based on GSSAPI. The appropriate\nconfiguration is used if no value is set for.To explicitly disable GSSAPI authentication, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000318",
+ "CCI-000368",
+ "CCI-001812",
+ "CCI-001813",
+ "CCI-001814",
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-3 f",
+ "CM-6 c",
+ "CM-11 (2)",
+ "CM-5 (1) (a)",
+ "CM-5 (1)",
+ "CM-6 b",
+ "AC-17 a.",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms like Kerberos.The default SSH configuration disallows authentication validation through Kerberos.\nThe appropriate configuration is used if no value is set for.To explicitly disable Kerberos authentication, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_kerb_auth:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000318",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000368",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001812",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001813",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001814",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "0421",
+ "href": ""
+ },
+ {
+ "text": "0422",
+ "href": ""
+ },
+ {
+ "text": "0431",
+ "href": ""
+ },
+ {
+ "text": "0974",
+ "href": ""
+ },
+ {
+ "text": "1173",
+ "href": ""
+ },
+ {
+ "text": "1401",
+ "href": ""
+ },
+ {
+ "text": "1504",
+ "href": ""
+ },
+ {
+ "text": "1505",
+ "href": ""
+ },
+ {
+ "text": "1546",
+ "href": ""
+ },
+ {
+ "text": "1557",
+ "href": ""
+ },
+ {
+ "text": "1558",
+ "href": ""
+ },
+ {
+ "text": "1559",
+ "href": ""
+ },
+ {
+ "text": "1560",
+ "href": ""
+ },
+ {
+ "text": "1561",
+ "href": ""
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FTP_ITC_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "FCS_SSH_EXT.1.2",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000364-GPOS-00151",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-VMM-002000",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000318",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000368",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001812",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001813",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001814",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "0421"
+ },
+ {
+ "ref": "0422"
+ },
+ {
+ "ref": "0431"
+ },
+ {
+ "ref": "0974"
+ },
+ {
+ "ref": "1173"
+ },
+ {
+ "ref": "1401"
+ },
+ {
+ "ref": "1504"
+ },
+ {
+ "ref": "1505"
+ },
+ {
+ "ref": "1546"
+ },
+ {
+ "ref": "1557"
+ },
+ {
+ "ref": "1558"
+ },
+ {
+ "ref": "1559"
+ },
+ {
+ "ref": "1560"
+ },
+ {
+ "ref": "1561"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FTP_ITC_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "FCS_SSH_EXT.1.2",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000364-GPOS-00151",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-VMM-002000"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable Kerberos Authentication",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth",
+ "desc": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms like Kerberos.The default SSH configuration disallows authentication validation through Kerberos.\nThe appropriate configuration is used if no value is set for.To explicitly disable Kerberos authentication, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos\nis enabled through SSH, the SSH daemon provides a means of access to the\nsystem's Kerberos implementation. \nConfiguring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable Kerberos Authentication\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"code\": [\n \"KerberosAuthentication\",\n \"/etc/ssh/sshd_config\"\n ],\n \"pre\": \"KerberosAuthentication no\",\n \"text\": \"Unless needed, SSH should not permit extraneous or unnecessary\\nauthentication mechanisms like Kerberos.The default SSH configuration disallows authentication validation through Kerberos.\\nThe appropriate configuration is used if no value is set for.To explicitly disable Kerberos authentication, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000318\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000368\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001812\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001813\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001814\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"0421\",\n \"href\": \"\"\n },\n {\n \"text\": \"0422\",\n \"href\": \"\"\n },\n {\n \"text\": \"0431\",\n \"href\": \"\"\n },\n {\n \"text\": \"0974\",\n \"href\": \"\"\n },\n {\n \"text\": \"1173\",\n \"href\": \"\"\n },\n {\n \"text\": \"1401\",\n \"href\": \"\"\n },\n {\n \"text\": \"1504\",\n \"href\": \"\"\n },\n {\n \"text\": \"1505\",\n \"href\": \"\"\n },\n {\n \"text\": \"1546\",\n \"href\": \"\"\n },\n {\n \"text\": \"1557\",\n \"href\": \"\"\n },\n {\n \"text\": \"1558\",\n \"href\": \"\"\n },\n {\n \"text\": \"1559\",\n \"href\": \"\"\n },\n {\n \"text\": \"1560\",\n \"href\": \"\"\n },\n {\n \"text\": \"1561\",\n \"href\": \"\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FTP_ITC_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"FCS_SSH_EXT.1.2\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000364-GPOS-00151\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-VMM-002000\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos\\nis enabled through SSH, the SSH daemon provides a means of access to the\\nsystem's Kerberos implementation. \\nConfiguring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*KerberosAuthentication\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"KerberosAuthentication no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"KerberosAuthentication no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_disable_kerb_auth\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Disable Kerberos Authentication\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*KerberosAuthentication\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*KerberosAuthentication\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*KerberosAuthentication\\\\s+\\n line: KerberosAuthentication no\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.12\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_disable_kerb_auth\",\n \"id\": \"sshd_disable_kerb_auth\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_kerb_auth:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms like Kerberos.The default SSH configuration disallows authentication validation through Kerberos.\nThe appropriate configuration is used if no value is set for.To explicitly disable Kerberos authentication, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms. To disable PubkeyAuthentication authentication, add or\ncorrect the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_pubkey_auth:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_pubkey_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable PubkeyAuthentication Authentication",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth",
+ "desc": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms. To disable PubkeyAuthentication authentication, add or\ncorrect the following line in:",
+ "descriptions": [
+ {
+ "data": "PubkeyAuthentication authentication is used to provide additional authentication mechanisms to\napplications. Allowing PubkeyAuthentication authentication through SSH allows users to\ngenerate their own authentication tokens, increasing the attack surface of the system.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable PubkeyAuthentication Authentication\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ssh/sshd_config\",\n \"pre\": \"PubkeyAuthentication no\",\n \"text\": \"Unless needed, SSH should not permit extraneous or unnecessary\\nauthentication mechanisms. To disable PubkeyAuthentication authentication, add or\\ncorrect the following line in:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"PubkeyAuthentication authentication is used to provide additional authentication mechanisms to\\napplications. Allowing PubkeyAuthentication authentication through SSH allows users to\\ngenerate their own authentication tokens, increasing the attack surface of the system.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*PubkeyAuthentication\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"PubkeyAuthentication no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"PubkeyAuthentication no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_disable_pubkey_auth\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Disable PubkeyAuthentication Authentication\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PubkeyAuthentication\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PubkeyAuthentication\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*PubkeyAuthentication\\\\s+\\n line: PubkeyAuthentication no\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_disable_pubkey_auth\",\n \"id\": \"sshd_disable_pubkey_auth\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_pubkey_auth:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_pubkey_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms. To disable PubkeyAuthentication authentication, add or\ncorrect the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AC-17 a.",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "SSH can emulate the behavior of the obsolete rsh\ncommand in allowing users to enable insecure access to their\naccounts viafiles.The default SSH configuration disables support for. The appropriate\nconfiguration is used if no value is set for.To explicitly disable support for .rhosts files, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_disable_rhosts",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_rhosts:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.6",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FIA_UAU.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000107-VMM-000530",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_disable_rhosts",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.6",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FIA_UAU.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000107-VMM-000530"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable SSH Support for .rhosts Files",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_disable_rhosts",
+ "desc": "SSH can emulate the behavior of the obsolete rsh\ncommand in allowing users to enable insecure access to their\naccounts viafiles.The default SSH configuration disables support for. The appropriate\nconfiguration is used if no value is set for.To explicitly disable support for .rhosts files, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "SSH trust relationships mean a compromise on one host\ncan allow an attacker to move trivially to other hosts.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable SSH Support for .rhosts Files\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \".rhosts\",\n \".rhosts\",\n \"IgnoreRhosts\",\n \"/etc/ssh/sshd_config\"\n ],\n \"br\": [\n \"\",\n \"\"\n ],\n \"pre\": \"IgnoreRhosts yes\",\n \"text\": \"SSH can emulate the behavior of the obsolete rsh\\ncommand in allowing users to enable insecure access to their\\naccounts viafiles.The default SSH configuration disables support for. The appropriate\\nconfiguration is used if no value is set for.To explicitly disable support for .rhosts files, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.6\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FIA_UAU.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000107-VMM-000530\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"SSH trust relationships mean a compromise on one host\\ncan allow an attacker to move trivially to other hosts.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*IgnoreRhosts\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"IgnoreRhosts yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"IgnoreRhosts yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_disable_rhosts\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Disable SSH Support for .rhosts Files\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*IgnoreRhosts\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*IgnoreRhosts\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*IgnoreRhosts\\\\s+\\n line: IgnoreRhosts yes\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.5.6\\n - NIST-800-171-3.1.12\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_disable_rhosts\",\n \"id\": \"sshd_disable_rhosts\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_rhosts:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_disable_rhosts\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "SSH can emulate the behavior of the obsolete rsh\ncommand in allowing users to enable insecure access to their\naccounts viafiles.The default SSH configuration disables support for. The appropriate\nconfiguration is used if no value is set for.To explicitly disable support for .rhosts files, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AC-17 a.",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "SSH can allow authentication through the obsolete rsh\ncommand through the use of the authenticating user's SSH keys. This should be disabled.To ensure this behavior is disabled, add or correct the\nfollowing line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_rhosts_rsa:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FIA_UAU.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FIA_UAU.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable SSH Support for Rhosts RSA Authentication",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa",
+ "desc": "SSH can allow authentication through the obsolete rsh\ncommand through the use of the authenticating user's SSH keys. This should be disabled.To ensure this behavior is disabled, add or correct the\nfollowing line in:",
+ "descriptions": [
+ {
+ "data": "Configuring this setting for the SSH daemon provides additional\nassurance that remote login via SSH will require a password, even\nin the event of misconfiguration elsewhere.",
+ "label": "rationale"
+ },
+ {
+ "data": "As ofversionand above,\ntheoption has been deprecated, and the lineinis not\nnecessary.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable SSH Support for Rhosts RSA Authentication\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"code\": \"/etc/ssh/sshd_config\",\n \"pre\": \"RhostsRSAAuthentication no\",\n \"text\": \"SSH can allow authentication through the obsolete rsh\\ncommand through the use of the authenticating user's SSH keys. This should be disabled.To ensure this behavior is disabled, add or correct the\\nfollowing line in:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"code\": [\n \"openssh-server\",\n \"7.4\",\n \"RhostsRSAAuthentication\",\n \"/etc/ssh/sshd_config\"\n ],\n \"pre\": \"RhostsRSAAuthentication no\",\n \"text\": \"As ofversionand above,\\ntheoption has been deprecated, and the lineinis not\\nnecessary.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FIA_UAU.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Configuring this setting for the SSH daemon provides additional\\nassurance that remote login via SSH will require a password, even\\nin the event of misconfiguration elsewhere.\",\n \"lang\": \"en-US\"\n },\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_rhosts_rsa:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "SSH can allow authentication through the obsolete rsh\ncommand through the use of the authenticating user's SSH keys. This should be disabled.To ensure this behavior is disabled, add or correct the\nfollowing line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366",
+ "CCI-000770"
+ ],
+ "nist": [
+ "CM-6 b",
+ "IA-2 (5)",
+ "AC-6 (2)",
+ "AC-17 a.",
+ "IA-2",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "The root user should never be allowed to login to a\nsystem directly over a network.\nTo disable root login via SSH, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_disable_root_login",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_root_login:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R19)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "NT007(R21)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.6",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.1",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.1.5",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000770",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.6",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-6(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "IA-2",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "IA-2(5)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FAU_GEN.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-2.2.6",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000109-GPOS-00056",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-VMM-002000",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_average",
+ "description": "This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.",
+ "title": "Profile for ANSSI DAT-NT28 Average (Intermediate) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high",
+ "description": "This profile contains items for GNU/Linux installations storing sensitive information that can be accessible from unauthenticated or uncontroled networks.",
+ "title": "Profile for ANSSI DAT-NT28 High (Enforced) Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive",
+ "description": "This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.",
+ "title": "Profile for ANSSI DAT-NT28 Restrictive Level"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ },
+ {
+ "id": "xccdf_org.ssgproject.content_profile_standard",
+ "description": "This profile contains rules to ensure standard security baseline of an Ubuntu 18.04 system. Regardless of your system's workload all of these checks should pass.",
+ "title": "Standard System Security Profile for Ubuntu 18.04"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_disable_root_login",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R19)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "NT007(R21)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.6",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.1",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.1.5",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000770",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.6",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-6(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "IA-2",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "IA-2(5)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FAU_GEN.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-2.2.6",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000109-GPOS-00056",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-VMM-002000"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable SSH Root Login",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_disable_root_login",
+ "desc": "The root user should never be allowed to login to a\nsystem directly over a network.\nTo disable root login via SSH, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "Even though the communications channel may be encrypted, an additional layer of\nsecurity is gained by extending the policy of not logging directly on as root.\nIn addition, logging in with a user-specific account provides individual\naccountability of actions performed on the system and also helps to minimize\ndirect attack attempts on root's password.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable SSH Root Login\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ssh/sshd_config\",\n \"pre\": \"PermitRootLogin no\",\n \"text\": \"The root user should never be allowed to login to a\\nsystem directly over a network.\\nTo disable root login via SSH, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R19)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"NT007(R21)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.6\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.1\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.1.5\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000770\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.6\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-6(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"IA-2\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"IA-2(5)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FAU_GEN.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-2.2.6\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000109-GPOS-00056\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-VMM-002000\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Even though the communications channel may be encrypted, an additional layer of\\nsecurity is gained by extending the policy of not logging directly on as root.\\nIn addition, logging in with a user-specific account provides individual\\naccountability of actions performed on the system and also helps to minimize\\ndirect attack attempts on root's password.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*PermitRootLogin\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"PermitRootLogin no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"PermitRootLogin no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_disable_root_login\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Disable SSH Root Login\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PermitRootLogin\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PermitRootLogin\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*PermitRootLogin\\\\s+\\n line: PermitRootLogin no\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.5.6\\n - NIST-800-171-3.1.1\\n - NIST-800-171-3.1.5\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-AC-6(2)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - NIST-800-53-IA-2\\n - NIST-800-53-IA-2(5)\\n - PCI-DSS-Req-2.2.6\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_disable_root_login\",\n \"id\": \"sshd_disable_root_login\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_root_login:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_disable_root_login\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The root user should never be allowed to login to a\nsystem directly over a network.\nTo disable root login via SSH, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "To disable password-based root logins over SSH, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_root_password_login:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_root_password_login_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable SSH root Login with a Password (Insecure)",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login",
+ "desc": "To disable password-based root logins over SSH, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "Even though the communications channel may be encrypted, an additional\nlayer of security is gained by preventing use of a password.\nThis also helps to minimize direct attack attempts on root's password.",
+ "label": "rationale"
+ },
+ {
+ "data": "While this disables password-based root logins, direct root logins\nthrough other means such as through SSH keys or GSSAPI will still be\npermitted. Permitting any sort of root login remotely opens up the\nroot account to attack.\nTo fully disable direct root logins over SSH (which is considered a\nbest practice) and prevent remote attacks against the root account,\nsee CCE-27100-7, CCE-27445-6, CCE-80901-2, and similar.",
+ "label": "warning"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable SSH root Login with a Password (Insecure)\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ssh/sshd_config\",\n \"pre\": \"PermitRootLogin prohibit-password\",\n \"text\": \"To disable password-based root logins over SSH, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"warning\": {\n \"text\": \"While this disables password-based root logins, direct root logins\\nthrough other means such as through SSH keys or GSSAPI will still be\\npermitted. Permitting any sort of root login remotely opens up the\\nroot account to attack.\\nTo fully disable direct root logins over SSH (which is considered a\\nbest practice) and prevent remote attacks against the root account,\\nsee CCE-27100-7, CCE-27445-6, CCE-80901-2, and similar.\",\n \"lang\": \"en-US\",\n \"category\": \"general\"\n },\n \"rationale\": {\n \"text\": \"Even though the communications channel may be encrypted, an additional\\nlayer of security is gained by preventing use of a password.\\nThis also helps to minimize direct attack attempts on root's password.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*PermitRootLogin\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"PermitRootLogin prohibit-password\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"PermitRootLogin prohibit-password\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_disable_root_password_login\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Disable SSH root Login with a Password (Insecure)\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PermitRootLogin\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PermitRootLogin\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*PermitRootLogin\\\\s+\\n line: PermitRootLogin prohibit-password\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_disable_root_password_login\",\n \"id\": \"sshd_disable_root_password_login\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_root_password_login:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_root_password_login_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To disable password-based root logins over SSH, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Theparameter specifies whether TCP forwarding is permitted.\nTo disable TCP forwarding, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_tcp_forwarding:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Disable SSH TCP Forwarding",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding",
+ "desc": "Theparameter specifies whether TCP forwarding is permitted.\nTo disable TCP forwarding, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "Leaving port forwarding enabled can expose the organization to security risks and back-doors.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable SSH TCP Forwarding\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"AllowTcpForwarding\",\n \"/etc/ssh/sshd_config\"\n ],\n \"pre\": \"AllowTcpForwarding no\",\n \"text\": \"Theparameter specifies whether TCP forwarding is permitted.\\nTo disable TCP forwarding, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"Leaving port forwarding enabled can expose the organization to security risks and back-doors.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*AllowTcpForwarding\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"AllowTcpForwarding no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"AllowTcpForwarding no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_disable_tcp_forwarding\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Disable SSH TCP Forwarding\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*AllowTcpForwarding\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*AllowTcpForwarding\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*AllowTcpForwarding\\\\s+\\n line: AllowTcpForwarding no\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_disable_tcp_forwarding\",\n \"id\": \"sshd_disable_tcp_forwarding\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_tcp_forwarding:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theparameter specifies whether TCP forwarding is permitted.\nTo disable TCP forwarding, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AC-17 a.",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "SSH can allow system users to connect to systems if a cache of the remote\nsystems public keys is available. This should be disabled.To ensure this behavior is disabled, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_user_known_hosts:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FIA_UAU.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FIA_UAU.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable SSH Support for User Known Hosts",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts",
+ "desc": "SSH can allow system users to connect to systems if a cache of the remote\nsystems public keys is available. This should be disabled.To ensure this behavior is disabled, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "Configuring this setting for the SSH daemon provides additional\nassurance that remote login via SSH will require a password, even\nin the event of misconfiguration elsewhere.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable SSH Support for User Known Hosts\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"code\": \"/etc/ssh/sshd_config\",\n \"pre\": \"IgnoreUserKnownHosts yes\",\n \"text\": \"SSH can allow system users to connect to systems if a cache of the remote\\nsystems public keys is available. This should be disabled.To ensure this behavior is disabled, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FIA_UAU.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Configuring this setting for the SSH daemon provides additional\\nassurance that remote login via SSH will require a password, even\\nin the event of misconfiguration elsewhere.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*IgnoreUserKnownHosts\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"IgnoreUserKnownHosts yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"IgnoreUserKnownHosts yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_disable_user_known_hosts\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Disable SSH Support for User Known Hosts\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*IgnoreUserKnownHosts\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*IgnoreUserKnownHosts\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*IgnoreUserKnownHosts\\\\s+\\n line: IgnoreUserKnownHosts yes\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.12\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_disable_user_known_hosts\",\n \"id\": \"sshd_disable_user_known_hosts\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_user_known_hosts:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "SSH can allow system users to connect to systems if a cache of the remote\nsystems public keys is available. This should be disabled.To ensure this behavior is disabled, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6 b."
+ ],
+ "severity": "medium",
+ "description": "The X11Forwarding parameter provides the ability to tunnel X11 traffic\nthrough the connection to enable remote graphic connections.\nSSH has the capability to encrypt remote X11 connections when SSH'soption is enabled.The default SSH configuration disables X11Forwarding. The appropriate\nconfiguration is used if no value is set for.To explicitly disable X11 Forwarding, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_x11_forwarding:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_x11_forwarding_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CM-6(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CM-6(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable X11 Forwarding",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding",
+ "desc": "The X11Forwarding parameter provides the ability to tunnel X11 traffic\nthrough the connection to enable remote graphic connections.\nSSH has the capability to encrypt remote X11 connections when SSH'soption is enabled.The default SSH configuration disables X11Forwarding. The appropriate\nconfiguration is used if no value is set for.To explicitly disable X11 Forwarding, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "Disable X11 forwarding unless there is an operational requirement to use X11\napplications directly. There is a small risk that the remote X11 servers of\nusers who are logged in via SSH with X11 forwarding could be compromised by\nother users on the X11 server. Note that even if X11 forwarding is disabled,\nusers can always install their own forwarders.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Disable X11 Forwarding\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"X11Forwarding\",\n \"X11Forwarding\",\n \"/etc/ssh/sshd_config\"\n ],\n \"br\": [\n \"\",\n \"\"\n ],\n \"pre\": \"X11Forwarding no\",\n \"text\": \"The X11Forwarding parameter provides the ability to tunnel X11 traffic\\nthrough the connection to enable remote graphic connections.\\nSSH has the capability to encrypt remote X11 connections when SSH'soption is enabled.The default SSH configuration disables X11Forwarding. The appropriate\\nconfiguration is used if no value is set for.To explicitly disable X11 Forwarding, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CM-6(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Disable X11 forwarding unless there is an operational requirement to use X11\\napplications directly. There is a small risk that the remote X11 servers of\\nusers who are logged in via SSH with X11 forwarding could be compromised by\\nother users on the X11 server. Note that even if X11 forwarding is disabled,\\nusers can always install their own forwarders.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*X11Forwarding\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"X11Forwarding no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"X11Forwarding no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_disable_x11_forwarding\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Disable X11 Forwarding\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*X11Forwarding\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*X11Forwarding\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*X11Forwarding\\\\s+\\n line: X11Forwarding no\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(b)\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_disable_x11_forwarding\",\n \"id\": \"sshd_disable_x11_forwarding\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_disable_x11_forwarding:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_disable_x11_forwarding_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The X11Forwarding parameter provides the ability to tunnel X11 traffic\nthrough the connection to enable remote graphic connections.\nSSH has the capability to encrypt remote X11 connections when SSH'soption is enabled.The default SSH configuration disables X11Forwarding. The appropriate\nconfiguration is used if no value is set for.To explicitly disable X11 Forwarding, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AC-17 a.",
+ "CM-7 a.",
+ "CM-7 b.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Ensure that users are not able to override environment variables of the SSH daemon.The default SSH configuration disables environment processing. The appropriate\nconfiguration is used if no value is set for.To explicitly disable Environment options, add or correct the following:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_do_not_permit_user_env:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.6",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-7(b)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-2.2.6",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00229",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-VMM-002000",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.6",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-7(b)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-2.2.6",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00229",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-VMM-002000"
+ }
+ ],
+ "source_location": {},
+ "title": "Do Not Allow SSH Environment Options",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env",
+ "desc": "Ensure that users are not able to override environment variables of the SSH daemon.The default SSH configuration disables environment processing. The appropriate\nconfiguration is used if no value is set for.To explicitly disable Environment options, add or correct the following:",
+ "descriptions": [
+ {
+ "data": "SSH environment options potentially allow users to bypass\naccess restriction in some configurations.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Do Not Allow SSH Environment Options\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"code\": [\n \"PermitUserEnvironment\",\n \"/etc/ssh/sshd_config\"\n ],\n \"pre\": \"PermitUserEnvironment no\",\n \"text\": \"Ensure that users are not able to override environment variables of the SSH daemon.The default SSH configuration disables environment processing. The appropriate\\nconfiguration is used if no value is set for.To explicitly disable Environment options, add or correct the following:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.6\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-7(b)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-2.2.6\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00229\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-VMM-002000\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"SSH environment options potentially allow users to bypass\\naccess restriction in some configurations.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*PermitUserEnvironment\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"PermitUserEnvironment no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"PermitUserEnvironment no\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_do_not_permit_user_env\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Do Not Allow SSH Environment Options\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PermitUserEnvironment\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PermitUserEnvironment\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*PermitUserEnvironment\\\\s+\\n line: PermitUserEnvironment no\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.5.6\\n - NIST-800-171-3.1.12\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-CM-6(a)\\n - NIST-800-53-CM-7(a)\\n - NIST-800-53-CM-7(b)\\n - PCI-DSS-Req-2.2.6\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_do_not_permit_user_env\",\n \"id\": \"sshd_do_not_permit_user_env\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_do_not_permit_user_env:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Ensure that users are not able to override environment variables of the SSH daemon.The default SSH configuration disables environment processing. The appropriate\nconfiguration is used if no value is set for.To explicitly disable Environment options, add or correct the following:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Sites setup to use Kerberos or other GSSAPI Authenticaion require setting\nsshd to accept this authentication.\nTo enable GSSAPI authentication, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_gssapi_auth:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_gssapi_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Enable GSSAPI Authentication",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth",
+ "desc": "Sites setup to use Kerberos or other GSSAPI Authenticaion require setting\nsshd to accept this authentication.\nTo enable GSSAPI authentication, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "Kerberos authentication for SSH is often implemented using GSSAPI. If\nKerberos is enabled through SSH, the SSH daemon provides a means of access\nto the system's Kerberos implementation. Vulnerabilities in the system's\nKerberos implementations may be subject to exploitation.\n\nFor enterprises, Kerberos is often enabled and used with GSSAPI for \ncentralized user account management which may necessitate enabling of\nGSSAPI functionality in SSH.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable GSSAPI Authentication\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ssh/sshd_config\",\n \"pre\": \"GSSAPIAuthentication yes\",\n \"text\": \"Sites setup to use Kerberos or other GSSAPI Authenticaion require setting\\nsshd to accept this authentication.\\nTo enable GSSAPI authentication, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"Kerberos authentication for SSH is often implemented using GSSAPI. If\\nKerberos is enabled through SSH, the SSH daemon provides a means of access\\nto the system's Kerberos implementation. Vulnerabilities in the system's\\nKerberos implementations may be subject to exploitation.\\n\\nFor enterprises, Kerberos is often enabled and used with GSSAPI for \\ncentralized user account management which may necessitate enabling of\\nGSSAPI functionality in SSH.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*GSSAPIAuthentication\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"GSSAPIAuthentication yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"GSSAPIAuthentication yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_enable_gssapi_auth\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Enable GSSAPI Authentication\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*GSSAPIAuthentication\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*GSSAPIAuthentication\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*GSSAPIAuthentication\\\\s+\\n line: GSSAPIAuthentication yes\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_enable_gssapi_auth\",\n \"id\": \"sshd_enable_gssapi_auth\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_gssapi_auth:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_gssapi_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Sites setup to use Kerberos or other GSSAPI Authenticaion require setting\nsshd to accept this authentication.\nTo enable GSSAPI authentication, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000877"
+ ],
+ "nist": [
+ "MA-4 c"
+ ],
+ "severity": "medium",
+ "description": "UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will\nenable PAM authentication using ChallengeResponseAuthentication and\nPasswordAuthentication in addition to PAM account and session module processing for all\nauthentication types.\n\nTo enable PAM authentication, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_enable_pam",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_pam:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_pam_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000877",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000125-GPOS-00065",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_enable_pam",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000877",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000125-GPOS-00065",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable PAM",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_enable_pam",
+ "desc": "UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will\nenable PAM authentication using ChallengeResponseAuthentication and\nPasswordAuthentication in addition to PAM account and session module processing for all\nauthentication types.\n\nTo enable PAM authentication, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "When UsePAM is set to yes, PAM runs through account and session types properly. This is\nimportant if you want to restrict access to services based off of IP, time or other factors of\nthe account. Additionally, you can make sure users inherit certain environment variables\non login or disallow access to the server.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable PAM\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ssh/sshd_config\",\n \"pre\": \"UsePAM yes\",\n \"text\": \"UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will\\nenable PAM authentication using ChallengeResponseAuthentication and\\nPasswordAuthentication in addition to PAM account and session module processing for all\\nauthentication types.\\n\\nTo enable PAM authentication, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000877\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000125-GPOS-00065\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"When UsePAM is set to yes, PAM runs through account and session types properly. This is\\nimportant if you want to restrict access to services based off of IP, time or other factors of\\nthe account. Additionally, you can make sure users inherit certain environment variables\\non login or disallow access to the server.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*UsePAM\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"UsePAM yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"UsePAM yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_enable_pam\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Enable PAM\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*UsePAM\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*UsePAM\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*UsePAM\\\\s+\\n line: UsePAM yes\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_enable_pam\",\n \"id\": \"sshd_enable_pam\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_pam:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_pam_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_enable_pam\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will\nenable PAM authentication using ChallengeResponseAuthentication and\nPasswordAuthentication in addition to PAM account and session module processing for all\nauthentication types.\n\nTo enable PAM authentication, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000765",
+ "CCI-000766",
+ "CCI-000767",
+ "CCI-000768"
+ ],
+ "nist": [
+ "IA-2 (1)",
+ "IA-2 (2)",
+ "IA-2 (3)",
+ "IA-2 (4)"
+ ],
+ "severity": "medium",
+ "description": "Enable SSH login with public keys.The default SSH configuration enables authentication based on public keys. The appropriate\nconfiguration is used if no value is set for.To explicitly enable Public Key Authentication, add or correct the following:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_pubkey_auth:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_pubkey_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000765",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000766",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000767",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000768",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SRG-OS-000105-GPOS-00052",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000106-GPOS-00053",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000107-GPOS-00054",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000108-GPOS-00055",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000765",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000766",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000767",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000768",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SRG-OS-000105-GPOS-00052",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000106-GPOS-00053",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000107-GPOS-00054",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000108-GPOS-00055",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable Public Key Authentication",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth",
+ "desc": "Enable SSH login with public keys.The default SSH configuration enables authentication based on public keys. The appropriate\nconfiguration is used if no value is set for.To explicitly enable Public Key Authentication, add or correct the following:",
+ "descriptions": [
+ {
+ "data": "Without the use of multifactor authentication, the ease of access to\nprivileged functions is greatly increased. Multifactor authentication\nrequires using two or more factors to achieve authentication.\nA privileged account is defined as an information system account with\nauthorizations of a privileged user. \nThe DoD CAC with DoD-approved PKI is an example of multifactor\nauthentication.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable Public Key Authentication\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"code\": [\n \"PubkeyAuthentication\",\n \"/etc/ssh/sshd_config\"\n ],\n \"pre\": \"PubkeyAuthentication yes\",\n \"text\": \"Enable SSH login with public keys.The default SSH configuration enables authentication based on public keys. The appropriate\\nconfiguration is used if no value is set for.To explicitly enable Public Key Authentication, add or correct the following:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000765\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000766\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000767\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000768\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SRG-OS-000105-GPOS-00052\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000106-GPOS-00053\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000107-GPOS-00054\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000108-GPOS-00055\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Without the use of multifactor authentication, the ease of access to\\nprivileged functions is greatly increased. Multifactor authentication\\nrequires using two or more factors to achieve authentication.\\nA privileged account is defined as an information system account with\\nauthorizations of a privileged user. \\nThe DoD CAC with DoD-approved PKI is an example of multifactor\\nauthentication.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*PubkeyAuthentication\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"PubkeyAuthentication yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"PubkeyAuthentication yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_enable_pubkey_auth\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Enable Public Key Authentication\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PubkeyAuthentication\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PubkeyAuthentication\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*PubkeyAuthentication\\\\s+\\n line: PubkeyAuthentication yes\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_enable_pubkey_auth\",\n \"id\": \"sshd_enable_pubkey_auth\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_pubkey_auth:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_pubkey_auth_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Enable SSH login with public keys.The default SSH configuration enables authentication based on public keys. The appropriate\nconfiguration is used if no value is set for.To explicitly enable Public Key Authentication, add or correct the following:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AC-6",
+ "AC-17 a.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "SSHsoption checks file and ownership permissions in\nthe user's home directoryfolder before accepting login. If world-\nwritable permissions are found, logon is rejected.The default SSH configuration hasenabled. The appropriate\nconfiguration is used if no value is set for.To explicitly enablein SSH, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_strictmodes:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000480-VMM-002000",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000480-VMM-002000"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable Use of Strict Mode Checking",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes",
+ "desc": "SSHsoption checks file and ownership permissions in\nthe user's home directoryfolder before accepting login. If world-\nwritable permissions are found, logon is rejected.The default SSH configuration hasenabled. The appropriate\nconfiguration is used if no value is set for.To explicitly enablein SSH, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "If other users have access to modify user-specific SSH configuration files, they\nmay be able to log into the system as another user.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable Use of Strict Mode Checking\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"StrictModes\",\n \".ssh\",\n \"StrictModes\",\n \"StrictModes\",\n \"StrictModes\",\n \"/etc/ssh/sshd_config\"\n ],\n \"br\": [\n \"\",\n \"\"\n ],\n \"pre\": \"StrictModes yes\",\n \"text\": \"SSHsoption checks file and ownership permissions in\\nthe user's home directoryfolder before accepting login. If world-\\nwritable permissions are found, logon is rejected.The default SSH configuration hasenabled. The appropriate\\nconfiguration is used if no value is set for.To explicitly enablein SSH, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000480-VMM-002000\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"If other users have access to modify user-specific SSH configuration files, they\\nmay be able to log into the system as another user.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*StrictModes\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"StrictModes yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"StrictModes yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_enable_strictmodes\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Enable Use of Strict Mode Checking\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*StrictModes\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*StrictModes\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*StrictModes\\\\s+\\n line: StrictModes yes\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.12\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-AC-6\\n - NIST-800-53-CM-6(a)\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_enable_strictmodes\",\n \"id\": \"sshd_enable_strictmodes\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_strictmodes:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "SSHsoption checks file and ownership permissions in\nthe user's home directoryfolder before accepting login. If world-\nwritable permissions are found, logon is rejected.The default SSH configuration hasenabled. The appropriate\nconfiguration is used if no value is set for.To explicitly enablein SSH, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000048",
+ "CCI-000050",
+ "CCI-001384",
+ "CCI-001385",
+ "CCI-001386",
+ "CCI-001387",
+ "CCI-001388"
+ ],
+ "nist": [
+ "AC-8 a",
+ "AC-8 b",
+ "AC-8 c 1",
+ "AC-8 c 2",
+ "AC-8 c 3",
+ "AC-8 a.",
+ "AC-8 c.",
+ "AC-17 a.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To enable the warning banner and ensure it is consistent\nacross the system, add or correct the following line in:Another section contains information on how to create an\nappropriate system-wide warning banner.",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_warning_banner:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5.5.6",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.9",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000048",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000050",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001384",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001385",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001386",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001387",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001388",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-8(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-8(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FTA_TAB.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "Req-2.2.6",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000023-GPOS-00006",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000228-GPOS-00088",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000023-VMM-000060",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000024-VMM-000070",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5.5.6",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.9",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000048",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000050",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001384",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001385",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001386",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001387",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001388",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-8(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-8(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FTA_TAB.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "Req-2.2.6",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000023-GPOS-00006",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000228-GPOS-00088",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000023-VMM-000060"
+ },
+ {
+ "ref": "SRG-OS-000024-VMM-000070"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable SSH Warning Banner",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner",
+ "desc": "To enable the warning banner and ensure it is consistent\nacross the system, add or correct the following line in:Another section contains information on how to create an\nappropriate system-wide warning banner.",
+ "descriptions": [
+ {
+ "data": "The warning message reinforces policy awareness during the logon process and\nfacilitates possible legal action against attackers. Alternatively, systems\nwhose ownership should not be obvious should ensure usage of a banner that does\nnot provide easy attribution.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Enable SSH Warning Banner\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ssh/sshd_config\",\n \"pre\": \"Banner /etc/issue\",\n \"text\": \"To enable the warning banner and ensure it is consistent\\nacross the system, add or correct the following line in:Another section contains information on how to create an\\nappropriate system-wide warning banner.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5.5.6\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.9\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000048\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000050\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001384\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001385\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001386\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001387\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001388\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-8(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-8(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FTA_TAB.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"Req-2.2.6\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000023-GPOS-00006\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000228-GPOS-00088\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000023-VMM-000060\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000024-VMM-000070\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The warning message reinforces policy awareness during the logon process and\\nfacilitates possible legal action against attackers. Alternatively, systems\\nwhose ownership should not be obvious should ensure usage of a banner that does\\nnot provide easy attribution.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*Banner\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"Banner /etc/issue\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"Banner /etc/issue\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_enable_warning_banner\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Enable SSH Warning Banner\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*Banner\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*Banner\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*Banner\\\\s+\\n line: Banner /etc/issue\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.5.6\\n - NIST-800-171-3.1.9\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-AC-8(a)\\n - NIST-800-53-AC-8(c)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-2.2.6\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_enable_warning_banner\",\n \"id\": \"sshd_enable_warning_banner\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_warning_banner:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To enable the warning banner and ensure it is consistent\nacross the system, add or correct the following line in:Another section contains information on how to create an\nappropriate system-wide warning banner.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000048",
+ "CCI-000050",
+ "CCI-001384",
+ "CCI-001385",
+ "CCI-001386",
+ "CCI-001387",
+ "CCI-001388"
+ ],
+ "nist": [
+ "AC-8 a",
+ "AC-8 b",
+ "AC-8 c 1",
+ "AC-8 c 2",
+ "AC-8 c 3",
+ "AC-8 a.",
+ "AC-8 c.",
+ "AC-17 a.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "To enable the warning banner and ensure it is consistent\nacross the system, add or correct the following line in:Another section contains information on how to create an\nappropriate system-wide warning banner.",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_warning_banner_net:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "5.5.6",
+ "href": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.9",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000048",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-000050",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001384",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001385",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001386",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001387",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-001388",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-8(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-8(c)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FTA_TAB.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000023-GPOS-00006",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000228-GPOS-00088",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000023-VMM-000060",
+ "href": ""
+ },
+ {
+ "text": "SRG-OS-000024-VMM-000070",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "5.5.6",
+ "url": "https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.9",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000048",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-000050",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001384",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001385",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001386",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001387",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-001388",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-8(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-8(c)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FTA_TAB.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000023-GPOS-00006",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000228-GPOS-00088",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000023-VMM-000060"
+ },
+ {
+ "ref": "SRG-OS-000024-VMM-000070"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable SSH Warning Banner",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net",
+ "desc": "To enable the warning banner and ensure it is consistent\nacross the system, add or correct the following line in:Another section contains information on how to create an\nappropriate system-wide warning banner.",
+ "descriptions": [
+ {
+ "data": "The warning message reinforces policy awareness during the logon process and\nfacilitates possible legal action against attackers. Alternatively, systems\nwhose ownership should not be obvious should ensure usage of a banner that does\nnot provide easy attribution.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable SSH Warning Banner\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ssh/sshd_config\",\n \"pre\": \"Banner /etc/issue.net\",\n \"text\": \"To enable the warning banner and ensure it is consistent\\nacross the system, add or correct the following line in:Another section contains information on how to create an\\nappropriate system-wide warning banner.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"5.5.6\",\n \"href\": \"https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.9\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000048\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-000050\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001384\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001385\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001386\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001387\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-001388\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-8(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-8(c)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FTA_TAB.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000023-GPOS-00006\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000228-GPOS-00088\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000023-VMM-000060\",\n \"href\": \"\"\n },\n {\n \"text\": \"SRG-OS-000024-VMM-000070\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"The warning message reinforces policy awareness during the logon process and\\nfacilitates possible legal action against attackers. Alternatively, systems\\nwhose ownership should not be obvious should ensure usage of a banner that does\\nnot provide easy attribution.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*Banner\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"Banner /etc/issue.net\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"Banner /etc/issue.net\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_enable_warning_banner_net\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Enable SSH Warning Banner\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*Banner\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*Banner\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*Banner\\\\s+\\n line: Banner /etc/issue.net\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - CJIS-5.5.6\\n - NIST-800-171-3.1.9\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-AC-8(a)\\n - NIST-800-53-AC-8(c)\\n - NIST-800-53-CM-6(a)\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_enable_warning_banner_net\",\n \"id\": \"sshd_enable_warning_banner_net\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_warning_banner_net:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To enable the warning banner and ensure it is consistent\nacross the system, add or correct the following line in:Another section contains information on how to create an\nappropriate system-wide warning banner.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6 a.",
+ "AC-17 a.",
+ "AC-17 (2)"
+ ],
+ "severity": "high",
+ "description": "By default, remote X11 connections are not encrypted when initiated\nby users. SSH has the capability to encrypt remote X11 connections when SSH'soption is enabled.To enable X11 Forwarding, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_x11_forwarding:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "20",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "4",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "6",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "9",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "BAI03.08",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI07.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "BAI10.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS03.01",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.13",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.4.3.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.4.3.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 7.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.12.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.5.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.12.6.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-007-3 R7.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(2)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "DE.AE-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.IP-1",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "high",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "20",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "4",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "6",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "9",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "BAI03.08",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI07.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "BAI10.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS03.01",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.13",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.4.3.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.4.3.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 7.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.12.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.5.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.12.6.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-007-3 R7.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(2)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "DE.AE-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.IP-1",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable Encrypted X11 Forwarding",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding",
+ "desc": "By default, remote X11 connections are not encrypted when initiated\nby users. SSH has the capability to encrypt remote X11 connections when SSH'soption is enabled.To enable X11 Forwarding, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "Non-encrypted X displays allow an attacker to capture keystrokes and to execute commands\nremotely.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.7,
+ "code": "{\n \"title\": {\n \"text\": \"Enable Encrypted X11 Forwarding\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"X11Forwarding\",\n \"/etc/ssh/sshd_config\"\n ],\n \"br\": [\n \"\",\n \"\"\n ],\n \"pre\": \"X11Forwarding yes\",\n \"text\": \"By default, remote X11 connections are not encrypted when initiated\\nby users. SSH has the capability to encrypt remote X11 connections when SSH'soption is enabled.To enable X11 Forwarding, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"20\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"4\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"6\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"9\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"BAI03.08\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI07.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"BAI10.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS03.01\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.13\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.4.3.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.4.3.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 7.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.12.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.5.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.12.6.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-007-3 R7.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(2)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"DE.AE-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.IP-1\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Non-encrypted X displays allow an attacker to capture keystrokes and to execute commands\\nremotely.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*X11Forwarding\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"X11Forwarding yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"X11Forwarding yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_enable_x11_forwarding\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Enable Encrypted X11 Forwarding\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*X11Forwarding\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*X11Forwarding\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*X11Forwarding\\\\s+\\n line: X11Forwarding yes\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.13\\n - NIST-800-53-AC-17(2)\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-CM-6(a)\\n - high_severity\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_enable_x11_forwarding\",\n \"id\": \"sshd_enable_x11_forwarding\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_enable_x11_forwarding:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"high\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "By default, remote X11 connections are not encrypted when initiated\nby users. SSH has the capability to encrypt remote X11 connections when SSH'soption is enabled.To enable X11 Forwarding, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "AC-3",
+ "CM-6 a."
+ ],
+ "severity": "unknown",
+ "description": "By default, the SSH configuration allows any user with an account\nto access the system. In order to specify the users that are allowed to login\nvia SSH and deny all other users, add or correct the following line in thefile:Whereandare valid user names.",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_limit_user_access",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_limit_user_access_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "11",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.05",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.03",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "4.3.3.2.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.5.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.7.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.11",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.12",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.13",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.3",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.4",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.6",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 2.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.3.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-3",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.AC-6",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.PT-3",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-2.2.6",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_limit_user_access",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "11",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.05",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.03",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "4.3.3.2.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.5.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.7.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.11",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.12",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.13",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.3",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.4",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.6",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 2.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.3.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-3",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.AC-6",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.PT-3",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-2.2.6",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Limit Users' SSH Access",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_limit_user_access",
+ "desc": "By default, the SSH configuration allows any user with an account\nto access the system. In order to specify the users that are allowed to login\nvia SSH and deny all other users, add or correct the following line in thefile:Whereandare valid user names.",
+ "descriptions": [
+ {
+ "data": "ocil:ssg-sshd_limit_user_access_ocil:questionnaire:1",
+ "label": "check"
+ },
+ {
+ "data": "Specifying which accounts are allowed SSH access into the system reduces the\npossibility of unauthorized access to the system.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Limit Users' SSH Access\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/ssh/sshd_config\",\n \"USER1\",\n \"USER2\"\n ],\n \"pre\": \"AllowUsers USER1 USER2\",\n \"text\": \"By default, the SSH configuration allows any user with an account\\nto access the system. In order to specify the users that are allowed to login\\nvia SSH and deny all other users, add or correct the following line in thefile:Whereandare valid user names.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"11\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.05\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.03\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"4.3.3.2.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.5.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.7.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.11\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.12\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.13\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.3\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.4\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.6\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 2.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.3.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-3\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.AC-6\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.PT-3\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-2.2.6\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n }\n ],\n \"rationale\": {\n \"text\": \"Specifying which accounts are allowed SSH access into the system reduces the\\npossibility of unauthorized access to the system.\",\n \"lang\": \"en-US\"\n },\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_limit_user_access_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_limit_user_access\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "By default, the SSH configuration allows any user with an account\nto access the system. In order to specify the users that are allowed to login\nvia SSH and deny all other users, add or correct the following line in thefile:Whereandare valid user names.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000052"
+ ],
+ "nist": [
+ "AC-9",
+ "AC-9 (1)"
+ ],
+ "severity": "medium",
+ "description": "Ensure that SSH will display the date and time of the last successful account logon.The default SSH configuration enables print of the date and time of the last login.\nThe appropriate configuration is used if no value is set for.To explicitly enable LastLog in SSH, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_print_last_log",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_print_last_log:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_print_last_log_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "1",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.10",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-000052",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.6.1",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.2",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.4",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.5",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.6",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.7",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.8",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "4.3.3.6.9",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 1.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.10",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.5",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.7",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 1.9",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.18.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "AC-9",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-9(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-7",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_print_last_log",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "1",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.10",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-000052",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.6.1",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.2",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.4",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.5",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.6",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.7",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.8",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "4.3.3.6.9",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 1.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.10",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.5",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.7",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 1.9",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.18.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "AC-9",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-9(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-7",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable SSH Print Last Log",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_print_last_log",
+ "desc": "Ensure that SSH will display the date and time of the last successful account logon.The default SSH configuration enables print of the date and time of the last login.\nThe appropriate configuration is used if no value is set for.To explicitly enable LastLog in SSH, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "Providing users feedback on when account accesses last occurred facilitates user\nrecognition and reporting of unauthorized account use.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable SSH Print Last Log\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"code\": [\n \"PrintLastLog\",\n \"/etc/ssh/sshd_config\"\n ],\n \"pre\": \"PrintLastLog yes\",\n \"text\": \"Ensure that SSH will display the date and time of the last successful account logon.The default SSH configuration enables print of the date and time of the last login.\\nThe appropriate configuration is used if no value is set for.To explicitly enable LastLog in SSH, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"1\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.10\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-000052\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.6.1\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.2\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.4\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.5\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.6\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.7\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.8\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"4.3.3.6.9\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 1.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.10\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.5\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.7\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 1.9\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.18.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"AC-9\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-9(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-7\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Providing users feedback on when account accesses last occurred facilitates user\\nrecognition and reporting of unauthorized account use.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*PrintLastLog\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"PrintLastLog yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"PrintLastLog yes\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_print_last_log\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Enable SSH Print Last Log\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PrintLastLog\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*PrintLastLog\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*PrintLastLog\\\\s+\\n line: PrintLastLog yes\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-9\\n - NIST-800-53-AC-9(1)\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_print_last_log\",\n \"id\": \"sshd_print_last_log\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_print_last_log:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_print_last_log_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_print_last_log\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Ensure that SSH will display the date and time of the last successful account logon.The default SSH configuration enables print of the date and time of the last login.\nThe appropriate configuration is used if no value is set for.To explicitly enable LastLog in SSH, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000068"
+ ],
+ "nist": [
+ "AC-17 (2)"
+ ],
+ "severity": "medium",
+ "description": "Theparameter specifies how often\nthe session key of the is renegotiated, both in terms of\namount of data that may be transmitted and the time\nelapsed.To decrease the default limits, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_rekey_limit",
+ "check": "[\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_rekey_limit_time:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_rekey_limit_time\"\n },\n {\n \"export-name\": \"oval:ssg-var_rekey_limit_size:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_rekey_limit_size\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_rekey_limit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000068",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "FCS_SSH_EXT.1.8",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000033-GPOS-00014",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_rekey_limit",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000068",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "FCS_SSH_EXT.1.8",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000033-GPOS-00014",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Force frequent session key renegotiation",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_rekey_limit",
+ "desc": "Theparameter specifies how often\nthe session key of the is renegotiated, both in terms of\namount of data that may be transmitted and the time\nelapsed.To decrease the default limits, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "By decreasing the limit based on the amount of data and enabling\ntime-based limit, effects of potential attacks against\nencryption keys are limited.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Force frequent session key renegotiation\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"RekeyLimit\",\n \"/etc/ssh/sshd_config\"\n ],\n \"br\": \"\",\n \"pre\": {\n \"sub\": [\n {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rekey_limit_size\",\n \"use\": \"legacy\"\n },\n {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rekey_limit_time\",\n \"use\": \"legacy\"\n }\n ],\n \"text\": \"RekeyLimit\"\n },\n \"text\": \"Theparameter specifies how often\\nthe session key of the is renegotiated, both in terms of\\namount of data that may be transmitted and the time\\nelapsed.To decrease the default limits, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000068\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"FCS_SSH_EXT.1.8\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000033-GPOS-00014\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"By decreasing the limit based on the amount of data and enabling\\ntime-based limit, effects of potential attacks against\\nencryption keys are limited.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"sub\": [\n {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rekey_limit_size\",\n \"use\": \"legacy\"\n },\n {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rekey_limit_time\",\n \"use\": \"legacy\"\n }\n ],\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nvar_rekey_limit_size=''\\nvar_rekey_limit_time=''\\n\\n\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*RekeyLimit\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"RekeyLimit $var_rekey_limit_size $var_rekey_limit_time\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"RekeyLimit $var_rekey_limit_size $var_rekey_limit_time\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_rekey_limit\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"sub\": [\n {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rekey_limit_size\",\n \"use\": \"legacy\"\n },\n {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_rekey_limit_time\",\n \"use\": \"legacy\"\n }\n ],\n \"text\": \"- name: XCCDF Value var_rekey_limit_size # promote to variable\\n set_fact:\\n var_rekey_limit_size: !!strtags:\\n - always\\n- name: XCCDF Value var_rekey_limit_time # promote to variable\\n set_fact:\\n var_rekey_limit_time: !!strtags:\\n - always\\n\\n- name: Force frequent session key renegotiation\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*RekeyLimit\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*RekeyLimit\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*RekeyLimit\\\\s+\\n line: RekeyLimit {{ var_rekey_limit_size }} {{ var_rekey_limit_time }}\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - configure_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - sshd_rekey_limit\",\n \"id\": \"sshd_rekey_limit\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_rekey_limit_time:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_rekey_limit_time\"\n },\n {\n \"export-name\": \"oval:ssg-var_rekey_limit_size:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_rekey_limit_size\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_rekey_limit:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_rekey_limit\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theparameter specifies how often\nthe session key of the is renegotiated, both in terms of\namount of data that may be transmitted and the time\nelapsed.To decrease the default limits, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Theparameter to the SSH server specifies the time allowed for successful authentication to\nthe SSH server. The longer the Grace period is the more open unauthenticated connections\ncan exist. Like other session controls in this session the Grace Period should be limited to\nappropriate limits to ensure the service is available for needed access.",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time",
+ "check": "[\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_sshd_set_login_grace_time:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sshd_set_login_grace_time\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_login_grace_time:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_login_grace_time_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Ensure SSH LoginGraceTime is configured",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time",
+ "desc": "Theparameter to the SSH server specifies the time allowed for successful authentication to\nthe SSH server. The longer the Grace period is the more open unauthenticated connections\ncan exist. Like other session controls in this session the Grace Period should be limited to\nappropriate limits to ensure the service is available for needed access.",
+ "descriptions": [
+ {
+ "data": "Setting theparameter to a low number will minimize the risk of successful\nbrute force attacks to the SSH server. It will also limit the number of concurrent\nunauthenticated connections.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure SSH LoginGraceTime is configured\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"LoginGraceTime\",\n \"text\": \"Theparameter to the SSH server specifies the time allowed for successful authentication to\\nthe SSH server. The longer the Grace period is the more open unauthenticated connections\\ncan exist. Like other session controls in this session the Grace Period should be limited to\\nappropriate limits to ensure the service is available for needed access.\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"code\": \"LoginGraceTime\",\n \"text\": \"Setting theparameter to a low number will minimize the risk of successful\\nbrute force attacks to the SSH server. It will also limit the number of concurrent\\nunauthenticated connections.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_set_login_grace_time\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nvar_sshd_set_login_grace_time=''\\n\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*LoginGraceTime\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"LoginGraceTime $var_sshd_set_login_grace_time\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"LoginGraceTime $var_sshd_set_login_grace_time\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_set_login_grace_time\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_set_login_grace_time\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: XCCDF Value var_sshd_set_login_grace_time # promote to variable\\n set_fact:\\n var_sshd_set_login_grace_time: !!strtags:\\n - always\\n\\n- name: Ensure SSH LoginGraceTime is configured\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*LoginGraceTime\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*LoginGraceTime\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*LoginGraceTime\\\\s+\\n line: LoginGraceTime {{ var_sshd_set_login_grace_time }}\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_set_login_grace_time\",\n \"id\": \"sshd_set_login_grace_time\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_sshd_set_login_grace_time:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sshd_set_login_grace_time\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_login_grace_time:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_login_grace_time_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theparameter to the SSH server specifies the time allowed for successful authentication to\nthe SSH server. The longer the Grace period is the more open unauthenticated connections\ncan exist. Like other session controls in this session the Grace Period should be limited to\nappropriate limits to ensure the service is available for needed access.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "AC-17 a.",
+ "CM-6 a."
+ ],
+ "severity": "low",
+ "description": "The INFO parameter specifices that record login and logout activity will be logged.The default SSH configuration sets the log level to INFO. The appropriate\nconfiguration is used if no value is set for.To explicitly specify the log level in SSH, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_loglevel_info:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "low",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Set LogLevel to INFO",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info",
+ "desc": "The INFO parameter specifices that record login and logout activity will be logged.The default SSH configuration sets the log level to INFO. The appropriate\nconfiguration is used if no value is set for.To explicitly specify the log level in SSH, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "SSH provides several logging levels with varying amounts of verbosity.is specifically\nnot recommended other than strictly for debugging SSH communications since it provides\nso much data that it is difficult to identify important security information.level is the\nbasic level that only records login activity of SSH users. In many situations, such as Incident\nResponse, it is important to determine when a particular user was active on a system. The\nlogout record can eliminate those users who disconnected, which helps narrow the field.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Set LogLevel to INFO\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"code\": [\n \"LogLevel\",\n \"/etc/ssh/sshd_config\"\n ],\n \"pre\": \"LogLevel INFO\",\n \"text\": \"The INFO parameter specifices that record login and logout activity will be logged.The default SSH configuration sets the log level to INFO. The appropriate\\nconfiguration is used if no value is set for.To explicitly specify the log level in SSH, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"DEBUG\",\n \"INFO\"\n ],\n \"text\": \"SSH provides several logging levels with varying amounts of verbosity.is specifically\\nnot recommended other than strictly for debugging SSH communications since it provides\\nso much data that it is difficult to identify important security information.level is the\\nbasic level that only records login activity of SSH users. In many situations, such as Incident\\nResponse, it is important to determine when a particular user was active on a system. The\\nlogout record can eliminate those users who disconnected, which helps narrow the field.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*LogLevel\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"LogLevel INFO\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"LogLevel INFO\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_set_loglevel_info\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Set LogLevel to INFO\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*LogLevel\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*LogLevel\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*LogLevel\\\\s+\\n line: LogLevel INFO\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-CM-6(a)\\n - low_complexity\\n - low_disruption\\n - low_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_set_loglevel_info\",\n \"id\": \"sshd_set_loglevel_info\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_loglevel_info:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"low\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The INFO parameter specifices that record login and logout activity will be logged.The default SSH configuration sets the log level to INFO. The appropriate\nconfiguration is used if no value is set for.To explicitly specify the log level in SSH, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000067"
+ ],
+ "nist": [
+ "AC-17 (1)",
+ "AC-17 a.",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Theparameter configures the SSH daemon to record login and logout activity.\nTo specify the log level in\nSSH, add or correct the following line in:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_loglevel_verbose:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_loglevel_verbose_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CCI-000067",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CIP-007-3 R7.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "Req-2.2.6",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000032-GPOS-00013",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CCI-000067",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CIP-007-3 R7.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "Req-2.2.6",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000032-GPOS-00013",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Set SSH Daemon LogLevel to VERBOSE",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose",
+ "desc": "Theparameter configures the SSH daemon to record login and logout activity.\nTo specify the log level in\nSSH, add or correct the following line in:",
+ "descriptions": [
+ {
+ "data": "SSH provides several logging levels with varying amounts of verbosity.is specifically\nnot recommended other than strictly for debugging SSH communications since it provides\nso much data that it is difficult to identify important security information.orlevel is the basic level that only records login activity of SSH users. In many\nsituations, such as Incident Response, it is important to determine when a particular user was active\non a system. The logout record can eliminate those users who disconnected, which helps narrow the\nfield.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set SSH Daemon LogLevel to VERBOSE\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"VERBOSE\",\n \"/etc/ssh/sshd_config\"\n ],\n \"pre\": \"LogLevel VERBOSE\",\n \"text\": \"Theparameter configures the SSH daemon to record login and logout activity.\\nTo specify the log level in\\nSSH, add or correct the following line in:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CCI-000067\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CIP-007-3 R7.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"Req-2.2.6\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000032-GPOS-00013\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"code\": [\n \"DEBUG\",\n \"INFO\",\n \"VERBOSE\"\n ],\n \"text\": \"SSH provides several logging levels with varying amounts of verbosity.is specifically\\nnot recommended other than strictly for debugging SSH communications since it provides\\nso much data that it is difficult to identify important security information.orlevel is the basic level that only records login activity of SSH users. In many\\nsituations, such as Incident Response, it is important to determine when a particular user was active\\non a system. The logout record can eliminate those users who disconnected, which helps narrow the\\nfield.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*LogLevel\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"LogLevel VERBOSE\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"LogLevel VERBOSE\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_set_loglevel_verbose\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"text\": \"- name: Set SSH Daemon LogLevel to VERBOSE\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*LogLevel\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*LogLevel\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*LogLevel\\\\s+\\n line: LogLevel VERBOSE\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-AC-17(1)\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-2.2.6\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_set_loglevel_verbose\",\n \"id\": \"sshd_set_loglevel_verbose\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_loglevel_verbose:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_loglevel_verbose_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theparameter configures the SSH daemon to record login and logout activity.\nTo specify the log level in\nSSH, add or correct the following line in:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Theparameter specifies the maximum number of authentication attempts\npermitted per connection. Once the number of failures reaches half this value, additional failures are logged.\nto set MaxAUthTries editas follows:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries",
+ "check": "[\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_max_auth_tries_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_max_auth_tries:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_max_auth_tries_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "sshd_set_max_auth_tries",
+ "reference": {
+ "references": [
+ {
+ "text": "0421",
+ "href": ""
+ },
+ {
+ "text": "0422",
+ "href": ""
+ },
+ {
+ "text": "0431",
+ "href": ""
+ },
+ {
+ "text": "0974",
+ "href": ""
+ },
+ {
+ "text": "1173",
+ "href": ""
+ },
+ {
+ "text": "1401",
+ "href": ""
+ },
+ {
+ "text": "1504",
+ "href": ""
+ },
+ {
+ "text": "1505",
+ "href": ""
+ },
+ {
+ "text": "1546",
+ "href": ""
+ },
+ {
+ "text": "1557",
+ "href": ""
+ },
+ {
+ "text": "1558",
+ "href": ""
+ },
+ {
+ "text": "1559",
+ "href": ""
+ },
+ {
+ "text": "1560",
+ "href": ""
+ },
+ {
+ "text": "1561",
+ "href": ""
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [
+ {
+ "id": "xccdf_org.ssgproject.content_profile_cis",
+ "description": "This baseline aligns to the Center for Internet Security\nUbuntu 18.04 LTS Benchmark, v1.0.0, released\n08-13-2018.",
+ "title": "CIS Ubuntu 18.04 LTS Benchmark"
+ }
+ ],
+ "rule_result": {
+ "result": "notapplicable",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "0421"
+ },
+ {
+ "ref": "0422"
+ },
+ {
+ "ref": "0431"
+ },
+ {
+ "ref": "0974"
+ },
+ {
+ "ref": "1173"
+ },
+ {
+ "ref": "1401"
+ },
+ {
+ "ref": "1504"
+ },
+ {
+ "ref": "1505"
+ },
+ {
+ "ref": "1546"
+ },
+ {
+ "ref": "1557"
+ },
+ {
+ "ref": "1558"
+ },
+ {
+ "ref": "1559"
+ },
+ {
+ "ref": "1560"
+ },
+ {
+ "ref": "1561"
+ }
+ ],
+ "source_location": {},
+ "title": "Set SSH authentication attempt limit",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries",
+ "desc": "Theparameter specifies the maximum number of authentication attempts\npermitted per connection. Once the number of failures reaches half this value, additional failures are logged.\nto set MaxAUthTries editas follows:",
+ "descriptions": [
+ {
+ "data": "# Remediation is applicable only in certain platforms\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\n\nsshd_max_auth_tries_value=''\n\n\nif [ -e \"/etc/ssh/sshd_config\" ] ; then\n \n LC_ALL=C sed -i \"/^\\s*MaxAuthTries\\s\\+/Id\" \"/etc/ssh/sshd_config\"\nelse\n touch \"/etc/ssh/sshd_config\"\nfi\n# make sure file has newline at the end\nsed -i -e '$a\\' \"/etc/ssh/sshd_config\"\n\ncp \"/etc/ssh/sshd_config\" \"/etc/ssh/sshd_config.bak\"\n# Insert before the line matching the regex '^Match'.\nline_number=\"$(LC_ALL=C grep -n \"^Match\" \"/etc/ssh/sshd_config.bak\" | LC_ALL=C sed 's/:.*//g')\"\nif [ -z \"$line_number\" ]; then\n # There was no match of '^Match', insert at\n # the end of the file.\n printf '%s\\n' \"MaxAuthTries $sshd_max_auth_tries_value\" >> \"/etc/ssh/sshd_config\"\nelse\n head -n \"$(( line_number - 1 ))\" \"/etc/ssh/sshd_config.bak\" > \"/etc/ssh/sshd_config\"\n printf '%s\\n' \"MaxAuthTries $sshd_max_auth_tries_value\" >> \"/etc/ssh/sshd_config\"\n tail -n \"+$(( line_number ))\" \"/etc/ssh/sshd_config.bak\" >> \"/etc/ssh/sshd_config\"\nfi\n# Clean up after ourselves.\nrm \"/etc/ssh/sshd_config.bak\"\n\nelse\n >&2 echo 'Remediation is not applicable, nothing was done'\nfi",
+ "label": "fix"
+ },
+ {
+ "data": "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful\nbrute force attacks to the SSH server.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Set SSH authentication attempt limit\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"MaxAuthTries\",\n \"/etc/ssh/sshd_config\"\n ],\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"MaxAuthTries\"\n },\n \"text\": \"Theparameter specifies the maximum number of authentication attempts\\npermitted per connection. Once the number of failures reaches half this value, additional failures are logged.\\nto set MaxAUthTries editas follows:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"0421\",\n \"href\": \"\"\n },\n {\n \"text\": \"0422\",\n \"href\": \"\"\n },\n {\n \"text\": \"0431\",\n \"href\": \"\"\n },\n {\n \"text\": \"0974\",\n \"href\": \"\"\n },\n {\n \"text\": \"1173\",\n \"href\": \"\"\n },\n {\n \"text\": \"1401\",\n \"href\": \"\"\n },\n {\n \"text\": \"1504\",\n \"href\": \"\"\n },\n {\n \"text\": \"1505\",\n \"href\": \"\"\n },\n {\n \"text\": \"1546\",\n \"href\": \"\"\n },\n {\n \"text\": \"1557\",\n \"href\": \"\"\n },\n {\n \"text\": \"1558\",\n \"href\": \"\"\n },\n {\n \"text\": \"1559\",\n \"href\": \"\"\n },\n {\n \"text\": \"1560\",\n \"href\": \"\"\n },\n {\n \"text\": \"1561\",\n \"href\": \"\"\n }\n ],\n \"rationale\": {\n \"text\": \"Setting the MaxAuthTries parameter to a low number will minimize the risk of successful\\nbrute force attacks to the SSH server.\",\n \"lang\": \"en-US\"\n },\n \"fix\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nsshd_max_auth_tries_value=''\\n\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*MaxAuthTries\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"MaxAuthTries $sshd_max_auth_tries_value\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"MaxAuthTries $sshd_max_auth_tries_value\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_set_max_auth_tries\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n \"check\": [\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_max_auth_tries_value:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_max_auth_tries:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_max_auth_tries_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theparameter specifies the maximum number of authentication attempts\npermitted per connection. Once the number of failures reaches half this value, additional failures are logged.\nto set MaxAUthTries editas follows:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Theparameter specifies the maximum number of open sessions permitted\nfrom a given connection. To set MaxSessions editas follows:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_set_max_sessions",
+ "check": "[\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_sshd_max_sessions:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sshd_max_sessions\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_max_sessions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_max_sessions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_set_max_sessions",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Set SSH MaxSessions limit",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_set_max_sessions",
+ "desc": "Theparameter specifies the maximum number of open sessions permitted\nfrom a given connection. To set MaxSessions editas follows:",
+ "descriptions": [
+ {
+ "data": "To protect a system from denial of service due to a large number of concurrent\nsessions, use the rate limiting function of MaxSessions to protect availability\nof sshd logins and prevent overwhelming the daemon.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Set SSH MaxSessions limit\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"MaxSessions\",\n \"/etc/ssh/sshd_config\"\n ],\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_max_sessions\",\n \"use\": \"legacy\"\n },\n \"text\": \"MaxSessions\"\n },\n \"text\": \"Theparameter specifies the maximum number of open sessions permitted\\nfrom a given connection. To set MaxSessions editas follows:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"To protect a system from denial of service due to a large number of concurrent\\nsessions, use the rate limiting function of MaxSessions to protect availability\\nof sshd logins and prevent overwhelming the daemon.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_max_sessions\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nvar_sshd_max_sessions=''\\n\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*MaxSessions\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"MaxSessions $var_sshd_max_sessions\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"MaxSessions $var_sshd_max_sessions\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_set_max_sessions\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_max_sessions\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: XCCDF Value var_sshd_max_sessions # promote to variable\\n set_fact:\\n var_sshd_max_sessions: !!strtags:\\n - always\\n\\n- name: Set SSH MaxSessions limit\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*MaxSessions\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*MaxSessions\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*MaxSessions\\\\s+\\n line: MaxSessions {{ var_sshd_max_sessions }}\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - configure_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - sshd_set_max_sessions\",\n \"id\": \"sshd_set_max_sessions\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n }\n ],\n \"check\": [\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_sshd_max_sessions:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sshd_max_sessions\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_max_sessions:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_max_sessions_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_set_max_sessions\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Theparameter specifies the maximum number of open sessions permitted\nfrom a given connection. To set MaxSessions editas follows:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "The MaxStartups parameter specifies the maximum number of concurrent\nunauthenticated connections to the SSH daemon. Additional connections will be\ndropped until authentication succeeds or the LoginGraceTime expires for a\nconnection. To confgure MaxStartups, you should add or correct the following\nline in thefile:CIS recommends a MaxStartups value of '10:30:60', or more restrictive where\ndictated by site policy.",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_set_maxstartups",
+ "check": "[\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_maxstartups:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_maxstartups_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_set_maxstartups",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Ensure SSH MaxStartups is configured",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_set_maxstartups",
+ "desc": "The MaxStartups parameter specifies the maximum number of concurrent\nunauthenticated connections to the SSH daemon. Additional connections will be\ndropped until authentication succeeds or the LoginGraceTime expires for a\nconnection. To confgure MaxStartups, you should add or correct the following\nline in thefile:CIS recommends a MaxStartups value of '10:30:60', or more restrictive where\ndictated by site policy.",
+ "descriptions": [
+ {
+ "data": "To protect a system from denial of service due to a large number of pending\nauthentication connection attempts, use the rate limiting function of MaxStartups\nto protect availability of sshd logins and prevent overwhelming the daemon.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Ensure SSH MaxStartups is configured\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ssh/sshd_config\",\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_set_maxstartups\",\n \"use\": \"legacy\"\n },\n \"text\": \"MaxStartups\"\n },\n \"text\": \"The MaxStartups parameter specifies the maximum number of concurrent\\nunauthenticated connections to the SSH daemon. Additional connections will be\\ndropped until authentication succeeds or the LoginGraceTime expires for a\\nconnection. To confgure MaxStartups, you should add or correct the following\\nline in thefile:CIS recommends a MaxStartups value of '10:30:60', or more restrictive where\\ndictated by site policy.\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"To protect a system from denial of service due to a large number of pending\\nauthentication connection attempts, use the rate limiting function of MaxStartups\\nto protect availability of sshd logins and prevent overwhelming the daemon.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_set_maxstartups\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nvar_sshd_set_maxstartups=''\\n\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*MaxStartups\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"MaxStartups $var_sshd_set_maxstartups\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"MaxStartups $var_sshd_set_maxstartups\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_set_maxstartups\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_set_maxstartups\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: XCCDF Value var_sshd_set_maxstartups # promote to variable\\n set_fact:\\n var_sshd_set_maxstartups: !!strtags:\\n - always\\n\\n- name: Ensure SSH MaxStartups is configured\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*MaxStartups\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*MaxStartups\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*MaxStartups\\\\s+\\n line: MaxStartups {{ var_sshd_set_maxstartups }}\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_set_maxstartups\",\n \"id\": \"sshd_set_maxstartups\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n },\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_set_maxstartups:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_set_maxstartups_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_set_maxstartups\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The MaxStartups parameter specifies the maximum number of concurrent\nunauthenticated connections to the SSH daemon. Additional connections will be\ndropped until authentication succeeds or the LoginGraceTime expires for a\nconnection. To confgure MaxStartups, you should add or correct the following\nline in thefile:CIS recommends a MaxStartups value of '10:30:60', or more restrictive where\ndictated by site policy.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "CM-6 a.",
+ "AC-17 a.",
+ "AC-6"
+ ],
+ "severity": "medium",
+ "description": "When enabled, SSH will create an unprivileged child process that\nhas the privilege of the authenticated user. To enable privilege separation in\nSSH, add or correct the following line in thefile:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh_server",
+ "group_title": "Configure OpenSSH Server if Necessary",
+ "group_description": "If the system needs to act as an SSH server, then\ncertain changes should be made to the OpenSSH daemon configuration\nfile. The following recommendations can be\napplied to this file. See theman page for more\ndetailed information.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_sshd_use_priv_separation",
+ "check": "[\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_sshd_priv_separation:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sshd_priv_separation\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_use_priv_separation:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_use_priv_separation_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.12",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "164.308(a)(4)(i)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.308(b)(3)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.310(b)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(1)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "164.312(e)(2)(ii)",
+ "href": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_sshd_use_priv_separation",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.12",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "164.308(a)(4)(i)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.308(b)(3)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.310(b)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(1)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "164.312(e)(2)(ii)",
+ "url": "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Enable Use of Privilege Separation",
+ "id": "xccdf_org.ssgproject.content_rule_sshd_use_priv_separation",
+ "desc": "When enabled, SSH will create an unprivileged child process that\nhas the privilege of the authenticated user. To enable privilege separation in\nSSH, add or correct the following line in thefile:",
+ "descriptions": [
+ {
+ "data": "SSH daemon privilege separation causes the SSH process to drop root privileges\nwhen not needed which would decrease the impact of software vulnerabilities in\nthe unprivileged section.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Enable Use of Privilege Separation\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ssh/sshd_config\",\n \"pre\": {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_priv_separation\",\n \"use\": \"legacy\"\n },\n \"text\": \"UsePrivilegeSeparation\"\n },\n \"text\": \"When enabled, SSH will create an unprivileged child process that\\nhas the privilege of the authenticated user. To enable privilege separation in\\nSSH, add or correct the following line in thefile:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.12\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"164.308(a)(4)(i)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.308(b)(3)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.310(b)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(1)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"164.312(e)(2)(ii)\",\n \"href\": \"https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"SSH daemon privilege separation causes the SSH process to drop root privileges\\nwhen not needed which would decrease the impact of software vulnerabilities in\\nthe unprivileged section.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_priv_separation\",\n \"use\": \"legacy\"\n },\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nvar_sshd_priv_separation=''\\n\\n\\nif [ -e \\\"/etc/ssh/sshd_config\\\" ] ; then\\n \\n LC_ALL=C sed -i \\\"/^\\\\s*UsePrivilegeSeparation\\\\s\\\\+/Id\\\" \\\"/etc/ssh/sshd_config\\\"\\nelse\\n touch \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# make sure file has newline at the end\\nsed -i -e '$a\\\\' \\\"/etc/ssh/sshd_config\\\"\\n\\ncp \\\"/etc/ssh/sshd_config\\\" \\\"/etc/ssh/sshd_config.bak\\\"\\n# Insert before the line matching the regex '^Match'.\\nline_number=\\\"$(LC_ALL=C grep -n \\\"^Match\\\" \\\"/etc/ssh/sshd_config.bak\\\" | LC_ALL=C sed 's/:.*//g')\\\"\\nif [ -z \\\"$line_number\\\" ]; then\\n # There was no match of '^Match', insert at\\n # the end of the file.\\n printf '%s\\\\n' \\\"UsePrivilegeSeparation $var_sshd_priv_separation\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nelse\\n head -n \\\"$(( line_number - 1 ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" > \\\"/etc/ssh/sshd_config\\\"\\n printf '%s\\\\n' \\\"UsePrivilegeSeparation $var_sshd_priv_separation\\\" >> \\\"/etc/ssh/sshd_config\\\"\\n tail -n \\\"+$(( line_number ))\\\" \\\"/etc/ssh/sshd_config.bak\\\" >> \\\"/etc/ssh/sshd_config\\\"\\nfi\\n# Clean up after ourselves.\\nrm \\\"/etc/ssh/sshd_config.bak\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"sshd_use_priv_separation\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n },\n {\n \"sub\": {\n \"idref\": \"xccdf_org.ssgproject.content_value_var_sshd_priv_separation\",\n \"use\": \"legacy\"\n },\n \"text\": \"- name: XCCDF Value var_sshd_priv_separation # promote to variable\\n set_fact:\\n var_sshd_priv_separation: !!strtags:\\n - always\\n\\n- name: Enable Use of Privilege Separation\\n block:\\n\\n - name: Check for duplicate values\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*UsePrivilegeSeparation\\\\s+\\n state: absent\\n check_mode: true\\n changed_when: false\\n register: dupes\\n\\n - name: Deduplicate values from /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: false\\n regexp: (?i)^\\\\s*UsePrivilegeSeparation\\\\s+\\n state: absent\\n when: dupes.found is defined and dupes.found > 1\\n\\n - name: Insert correct line to /etc/ssh/sshd_config\\n lineinfile:\\n path: /etc/ssh/sshd_config\\n create: true\\n regexp: (?i)^\\\\s*UsePrivilegeSeparation\\\\s+\\n line: UsePrivilegeSeparation {{ var_sshd_priv_separation }}\\n state: present\\n insertbefore: ^[#\\\\s]*Match\\n validate: /usr/sbin/sshd -t -f %s\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.12\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-AC-6\\n - NIST-800-53-CM-6(a)\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - restrict_strategy\\n - sshd_use_priv_separation\",\n \"id\": \"sshd_use_priv_separation\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"restrict\"\n }\n ],\n \"check\": [\n {\n \"check-export\": [\n {\n \"export-name\": \"oval:ssg-var_sshd_priv_separation:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_var_sshd_priv_separation\"\n },\n {\n \"export-name\": \"oval:ssg-sshd_required:var:1\",\n \"value-id\": \"xccdf_org.ssgproject.content_value_sshd_required\"\n }\n ],\n \"check-content-ref\": {\n \"name\": \"oval:ssg-sshd_use_priv_separation:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-sshd_use_priv_separation_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_sshd_use_priv_separation\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "When enabled, SSH will create an unprivileged child process that\nhas the privilege of the authenticated user. To enable privilege separation in\nSSH, add or correct the following line in thefile:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-002418",
+ "CCI-002420",
+ "CCI-002421",
+ "CCI-002422"
+ ],
+ "nist": [
+ "SC-8",
+ "SC-8 (2)",
+ "SC-8 (1)",
+ "CM-6 a."
+ ],
+ "severity": "medium",
+ "description": "Thepackage should be installed.\nThepackage can be installed with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh",
+ "group_title": "SSH Server",
+ "group_description": "The SSH protocol is recommended for remote login and\nremote file transfer. SSH provides confidentiality and integrity\nfor data exchanged between two systems, as well as server\nauthentication, through the use of public key cryptography. The\nimplementation included with the system is called OpenSSH, and more\ndetailed documentation is available from its website,.\nIts server program is calledand provided by the RPM package.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_openssh-server_installed",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_openssh-server_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "CCI-002418",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002420",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002421",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "CCI-002422",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "SR 3.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 3.8",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 4.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.DS-2",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "FIA_UAU.5",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "FTP_ITC_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "FCS_SSH_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "FCS_SSHS_EXT.1",
+ "href": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "text": "SRG-OS-000423-GPOS-00187",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000424-GPOS-00188",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000425-GPOS-00189",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "text": "SRG-OS-000426-GPOS-00190",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_openssh-server_installed",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "CCI-002418",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002420",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002421",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "CCI-002422",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "SR 3.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 3.8",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 4.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.DS-2",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "FIA_UAU.5",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "FTP_ITC_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "FCS_SSH_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "FCS_SSHS_EXT.1",
+ "url": "https://www.niap-ccevs.org/Profile/PP.cfm"
+ },
+ {
+ "ref": "SRG-OS-000423-GPOS-00187",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000424-GPOS-00188",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000425-GPOS-00189",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ },
+ {
+ "ref": "SRG-OS-000426-GPOS-00190",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Install the OpenSSH Server Package",
+ "id": "xccdf_org.ssgproject.content_rule_package_openssh-server_installed",
+ "desc": "Thepackage should be installed.\nThepackage can be installed with the following command:",
+ "descriptions": [
+ {
+ "data": "Without protection of the transmitted information, confidentiality, and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Install the OpenSSH Server Package\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"openssh-server\",\n \"openssh-server\"\n ],\n \"pre\": \"$ apt-get install openssh-server\",\n \"text\": \"Thepackage should be installed.\\nThepackage can be installed with the following command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"CCI-002418\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002420\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002421\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"CCI-002422\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"SR 3.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 3.8\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 4.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.DS-2\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"FIA_UAU.5\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"FTP_ITC_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"FCS_SSH_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"FCS_SSHS_EXT.1\",\n \"href\": \"https://www.niap-ccevs.org/Profile/PP.cfm\"\n },\n {\n \"text\": \"SRG-OS-000423-GPOS-00187\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000424-GPOS-00188\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000425-GPOS-00189\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n },\n {\n \"text\": \"SRG-OS-000426-GPOS-00190\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"Without protection of the transmitted information, confidentiality, and\\nintegrity may be compromised because unprotected communications can be\\nintercepted and either read or altered.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nDEBIAN_FRONTEND=noninteractive apt-get install -y \\\"openssh-server\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"package_openssh-server_installed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"- name: Ensure openssh-server is installed\\n package:\\n name: openssh-server\\n state: present\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-6(a)\\n - enable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - package_openssh-server_installed\",\n \"id\": \"package_openssh-server_installed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"include install_openssh-server\\n\\nclass install_openssh-server {\\n package { 'openssh-server':\\n ensure => 'installed',\\n }\\n}\",\n \"id\": \"package_openssh-server_installed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"[[packages]]\\nname = \\\"openssh-server\\\"\\nversion = \\\"*\\\"\",\n \"id\": \"package_openssh-server_installed\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_openssh-server_installed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_package_openssh-server_installed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Thepackage should be installed.\nThepackage can be installed with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "medium",
+ "description": "Thepackage should be removed.\nThepackage can be removed with the following command:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh",
+ "group_title": "SSH Server",
+ "group_description": "The SSH protocol is recommended for remote login and\nremote file transfer. SSH provides confidentiality and integrity\nfor data exchanged between two systems, as well as server\nauthentication, through the use of public key cryptography. The\nimplementation included with the system is called OpenSSH, and more\ndetailed documentation is available from its website,.\nIts server program is calledand provided by the RPM package.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_package_openssh-server_removed",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_openssh-server_removed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_package_openssh-server_removed",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Remove the OpenSSH Server Package",
+ "id": "xccdf_org.ssgproject.content_rule_package_openssh-server_removed",
+ "desc": "Thepackage should be removed.\nThepackage can be removed with the following command:",
+ "descriptions": [
+ {
+ "data": "Without protection of the transmitted information, confidentiality, and\nintegrity may be compromised because unprotected communications can be\nintercepted and either read or altered.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Remove the OpenSSH Server Package\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"openssh-server\",\n \"openssh-server\"\n ],\n \"pre\": \"$ apt-get remove openssh-server\",\n \"text\": \"Thepackage should be removed.\\nThepackage can be removed with the following command:\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"Without protection of the transmitted information, confidentiality, and\\nintegrity may be compromised because unprotected communications can be\\nintercepted and either read or altered.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\n# CAUTION: This remediation script will remove openssh-server\\n#\\t from the system, and may remove any packages\\n#\\t that depend on openssh-server. Execute this\\n#\\t remediation AFTER testing on a non-production\\n#\\t system!\\n\\nDEBIAN_FRONTEND=noninteractive apt-get remove -y \\\"openssh-server\\\"\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"package_openssh-server_removed\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Ensure openssh-server is removed\\n package:\\n name: openssh-server\\n state: absent\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - disable_strategy\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n - package_openssh-server_removed\",\n \"id\": \"package_openssh-server_removed\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"include remove_openssh-server\\n\\nclass remove_openssh-server {\\n package { 'openssh-server':\\n ensure => 'purged',\\n }\\n}\",\n \"id\": \"package_openssh-server_removed\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-package_openssh-server_removed:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_package_openssh-server_removed\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "Thepackage should be removed.\nThepackage can be removed with the following command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5",
+ "CM-3 (6)",
+ "IA-2 (4)"
+ ],
+ "severity": "unknown",
+ "description": "The SSH server service, sshd, is commonly needed.\nHowever, if it can be disabled, do so.\n\n\nTheservice can be disabled with the following command:This is unusual, as SSH is a common method for encrypted and authenticated\nremote access.",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh",
+ "group_title": "SSH Server",
+ "group_description": "The SSH protocol is recommended for remote login and\nremote file transfer. SSH provides confidentiality and integrity\nfor data exchanged between two systems, as well as server\nauthentication, through the use of public key cryptography. The\nimplementation included with the system is called OpenSSH, and more\ndetailed documentation is available from its website,.\nIts server program is calledand provided by the RPM package.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_service_sshd_disabled",
+ "check": "{\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_sshd_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n}",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "CM-3(6)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "IA-2(4)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_service_sshd_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "CM-3(6)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "IA-2(4)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ }
+ ],
+ "source_location": {},
+ "title": "Disable SSH Server If Possible (Unusual)",
+ "id": "xccdf_org.ssgproject.content_rule_service_sshd_disabled",
+ "desc": "The SSH server service, sshd, is commonly needed.\nHowever, if it can be disabled, do so.\n\n\nTheservice can be disabled with the following command:This is unusual, as SSH is a common method for encrypted and authenticated\nremote access.",
+ "descriptions": [
+ {
+ "data": "oval:ssg-service_sshd_disabled:def:1",
+ "label": "check"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Disable SSH Server If Possible (Unusual)\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"sshd\",\n \"pre\": \"$ sudo systemctl mask --now sshd.service\",\n \"text\": \"The SSH server service, sshd, is commonly needed.\\nHowever, if it can be disabled, do so.\\n\\n\\nTheservice can be disabled with the following command:This is unusual, as SSH is a common method for encrypted and authenticated\\nremote access.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"CM-3(6)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"IA-2(4)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n }\n ],\n \"rationale\": {\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nSYSTEMCTL_EXEC='/usr/bin/systemctl'\\n\\\"$SYSTEMCTL_EXEC\\\" stop 'ssh.service'\\n\\\"$SYSTEMCTL_EXEC\\\" disable 'ssh.service'\\n\\\"$SYSTEMCTL_EXEC\\\" mask 'ssh.service'\\n# Disable socket activation if we have a unit file for it\\nif \\\"$SYSTEMCTL_EXEC\\\" -q list-unit-files ssh.socket; then\\n \\\"$SYSTEMCTL_EXEC\\\" stop 'ssh.socket'\\n \\\"$SYSTEMCTL_EXEC\\\" mask 'ssh.socket'\\nfi\\n# The service may not be running because it has been started and failed,\\n# so let's reset the state so OVAL checks pass.\\n# Service should be 'inactive', not 'failed' after reboot though.\\n\\\"$SYSTEMCTL_EXEC\\\" reset-failed 'ssh.service' || true\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"service_sshd_disabled\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"- name: Disable service sshd\\n block:\\n\\n - name: Disable service sshd\\n systemd:\\n name: ssh.service\\n enabled: 'no'\\n state: stopped\\n masked: 'yes'\\n ignore_errors: 'yes'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-3(6)\\n - NIST-800-53-IA-2(4)\\n - disable_strategy\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - service_sshd_disabled\\n - unknown_severity\\n\\n- name: Unit Socket Exists - ssh.socket\\n command: systemctl list-unit-files ssh.socket\\n register: socket_file_exists\\n changed_when: false\\n ignore_errors: true\\n check_mode: false\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-53-CM-3(6)\\n - NIST-800-53-IA-2(4)\\n - disable_strategy\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - service_sshd_disabled\\n - unknown_severity\\n\\n- name: Disable socket sshd\\n systemd:\\n name: ssh.socket\\n enabled: 'no'\\n state: stopped\\n masked: 'yes'\\n when:\\n - ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n - '\\\"ssh.socket\\\" in socket_file_exists.stdout_lines[1]'\\n tags:\\n - NIST-800-53-CM-3(6)\\n - NIST-800-53-IA-2(4)\\n - disable_strategy\\n - low_complexity\\n - low_disruption\\n - no_reboot_needed\\n - service_sshd_disabled\\n - unknown_severity\",\n \"id\": \"service_sshd_disabled\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"include disable_sshd\\n\\nclass disable_sshd {\\n service {'ssh':\\n enable => false,\\n ensure => 'stopped',\\n }\\n}\",\n \"id\": \"service_sshd_disabled\",\n \"system\": \"urn:xccdf:fix:script:puppet\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"enable\"\n },\n {\n \"text\": \"apiVersion: machineconfiguration.openshift.io/v1\\nkind: MachineConfig\\nspec:\\n config:\\n ignition:\\n version: 3.1.0\\n systemd:\\n units:\\n - name: ssh.service\\n enabled: false\\n mask: true\\n - name: ssh.socket\\n enabled: false\\n mask: true\",\n \"id\": \"service_sshd_disabled\",\n \"system\": \"urn:xccdf:fix:script:kubernetes\",\n \"reboot\": \"true\",\n \"complexity\": \"low\",\n \"disruption\": \"medium\",\n \"strategy\": \"disable\"\n },\n {\n \"text\": \"[customizations.services]\\ndisabled = [\\\"ssh\\\"]\",\n \"id\": \"service_sshd_disabled\",\n \"system\": \"urn:redhat:osbuild:blueprint\"\n }\n ],\n \"check\": {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-service_sshd_disabled:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_service_sshd_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "The SSH server service, sshd, is commonly needed.\nHowever, if it can be disabled, do so.\n\n\nTheservice can be disabled with the following command:This is unusual, as SSH is a common method for encrypted and authenticated\nremote access.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AC-17 a.",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "SSH server private keys - files that match theglob, have to have restricted permissions.\nIf those files are owned by theuser and thegroup, they have to have thepermission or stricter.",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh",
+ "group_title": "SSH Server",
+ "group_description": "The SSH protocol is recommended for remote login and\nremote file transfer. SSH provides confidentiality and integrity\nfor data exchanged between two systems, as well as server\nauthentication, through the use of public key cryptography. The\nimplementation included with the system is called OpenSSH, and more\ndetailed documentation is available from its website,.\nIts server program is calledand provided by the RPM package.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_sshd_private_key:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_sshd_private_key_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "BP28(R36)",
+ "href": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.13",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.13.10",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-2.2.6",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "BP28(R36)",
+ "url": "http://www.ssi.gouv.fr/administration/bonnes-pratiques/"
+ },
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.13",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.13.10",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-2.2.6",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Permissions on SSH Server Private *_key Key Files",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key",
+ "desc": "SSH server private keys - files that match theglob, have to have restricted permissions.\nIf those files are owned by theuser and thegroup, they have to have thepermission or stricter.",
+ "descriptions": [
+ {
+ "data": "If an unauthorized user obtains the private SSH host key file, the host could be\nimpersonated.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Permissions on SSH Server Private *_key Key Files\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": [\n \"/etc/ssh/*_key\",\n \"root\",\n \"root\",\n \"0600\"\n ],\n \"text\": \"SSH server private keys - files that match theglob, have to have restricted permissions.\\nIf those files are owned by theuser and thegroup, they have to have thepermission or stricter.\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"BP28(R36)\",\n \"href\": \"http://www.ssi.gouv.fr/administration/bonnes-pratiques/\"\n },\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.13\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.13.10\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-2.2.6\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"If an unauthorized user obtains the private SSH host key file, the host could be\\nimpersonated.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nfor keyfile in /etc/ssh/*_key; do\\n test -f \\\"$keyfile\\\" || continue\\n if test root:root = \\\"$(stat -c \\\"%U:%G\\\" \\\"$keyfile\\\")\\\"; then\\n\\tchmod u-xs,g-xwrs,o-xwrt \\\"$keyfile\\\"\\n \\n else\\n echo \\\"Key-like file '$keyfile' is owned by an unexpected user:group combination\\\"\\n fi\\ndone\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"file_permissions_sshd_private_key\",\n \"system\": \"urn:xccdf:fix:script:sh\"\n },\n {\n \"text\": \"- name: Find root:root-owned keys\\n command: find -H /etc/ssh/ -maxdepth 1 -user root -regex \\\".*_key$\\\" -type f -group\\n root -perm /u+xs,g+xwrs,o+xwrt\\n register: root_owned_keys\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.13\\n - NIST-800-171-3.13.10\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-2.2.6\\n - configure_strategy\\n - file_permissions_sshd_private_key\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for root:root-owned keys\\n file:\\n path: '{{ item }}'\\n mode: u-xs,g-xwrs,o-xwrt\\n state: file\\n with_items:\\n - '{{ root_owned_keys.stdout_lines }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.13\\n - NIST-800-171-3.13.10\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-2.2.6\\n - configure_strategy\\n - file_permissions_sshd_private_key\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_sshd_private_key\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"include ssh_private_key_perms\\n\\nclass ssh_private_key_perms {\\n exec { 'sshd_priv_key':\\n command => \\\"chmod 0640 /etc/ssh/*_key\\\",\\n path => '/bin:/usr/bin'\\n }\\n}\",\n \"id\": \"file_permissions_sshd_private_key\",\n \"system\": \"urn:xccdf:fix:script:puppet\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_sshd_private_key:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_sshd_private_key_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "SSH server private keys - files that match theglob, have to have restricted permissions.\nIf those files are owned by theuser and thegroup, they have to have thepermission or stricter.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [
+ "CCI-000366"
+ ],
+ "nist": [
+ "CM-6 b",
+ "AC-17 a.",
+ "CM-6 a.",
+ "AC-6 (1)"
+ ],
+ "severity": "medium",
+ "description": "To properly set the permissions of, run the command:",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh",
+ "group_title": "SSH Server",
+ "group_description": "The SSH protocol is recommended for remote login and\nremote file transfer. SSH provides confidentiality and integrity\nfor data exchanged between two systems, as well as server\nauthentication, through the use of public key cryptography. The\nimplementation included with the system is called OpenSSH, and more\ndetailed documentation is available from its website,.\nIts server program is calledand provided by the RPM package.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key",
+ "check": "[\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_sshd_pub_key:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_sshd_pub_key_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n]",
+ "fix_id": "",
+ "reference": {
+ "references": [
+ {
+ "text": "12",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "13",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "14",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "15",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "16",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "18",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "3",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "5",
+ "href": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "text": "APO01.06",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.04",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS05.07",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "DSS06.02",
+ "href": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "text": "3.1.13",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "3.13.10",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "text": "CCI-000366",
+ "href": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "text": "4.3.3.7.3",
+ "href": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "text": "SR 2.1",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "SR 5.2",
+ "href": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "text": "A.10.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.1.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.11.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.13.2.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.14.1.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.6.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.7.3.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.8.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.1.2",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.2.3",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.1",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.4",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "A.9.4.5",
+ "href": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "text": "CIP-003-8 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-003-8 R5.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-004-6 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R2.3",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.1",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "CIP-007-3 R5.1.2",
+ "href": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "text": "AC-17(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "CM-6(a)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "AC-6(1)",
+ "href": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "text": "PR.AC-4",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "PR.DS-5",
+ "href": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "text": "Req-2.2.6",
+ "href": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "text": "SRG-OS-000480-GPOS-00227",
+ "href": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ]
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "medium",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [
+ {
+ "ref": "12",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "13",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "14",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "15",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "16",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "18",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "3",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "5",
+ "url": "https://www.cisecurity.org/controls/"
+ },
+ {
+ "ref": "APO01.06",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.04",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS05.07",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "DSS06.02",
+ "url": "https://www.isaca.org/resources/cobit"
+ },
+ {
+ "ref": "3.1.13",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "3.13.10",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf"
+ },
+ {
+ "ref": "CCI-000366",
+ "url": "https://public.cyber.mil/stigs/cci/"
+ },
+ {
+ "ref": "4.3.3.7.3",
+ "url": "https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat"
+ },
+ {
+ "ref": "SR 2.1",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "SR 5.2",
+ "url": "https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu"
+ },
+ {
+ "ref": "A.10.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.1.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.11.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.13.2.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.14.1.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.6.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.7.3.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.8.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.1.2",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.2.3",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.1",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.4",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "A.9.4.5",
+ "url": "https://www.iso.org/standard/54534.html"
+ },
+ {
+ "ref": "CIP-003-8 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-003-8 R5.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-004-6 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R2.3",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.1",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "CIP-007-3 R5.1.2",
+ "url": "https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx"
+ },
+ {
+ "ref": "AC-17(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "CM-6(a)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "AC-6(1)",
+ "url": "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+ },
+ {
+ "ref": "PR.AC-4",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "PR.DS-5",
+ "url": "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"
+ },
+ {
+ "ref": "Req-2.2.6",
+ "url": "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf"
+ },
+ {
+ "ref": "SRG-OS-000480-GPOS-00227",
+ "url": "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os"
+ }
+ ],
+ "source_location": {},
+ "title": "Verify Permissions on SSH Server Public *.pub Key Files",
+ "id": "xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key",
+ "desc": "To properly set the permissions of, run the command:",
+ "descriptions": [
+ {
+ "data": "If a public host key file is modified by an unauthorized user, the SSH service\nmay be compromised.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0.5,
+ "code": "{\n \"title\": {\n \"text\": \"Verify Permissions on SSH Server Public *.pub Key Files\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"code\": \"/etc/ssh/*.pub\",\n \"pre\": \"$ sudo chmod 0644 /etc/ssh/*.pub\",\n \"text\": \"To properly set the permissions of, run the command:\",\n \"lang\": \"en-US\"\n },\n \"reference\": [\n {\n \"text\": \"12\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"13\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"14\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"15\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"16\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"18\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"3\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"5\",\n \"href\": \"https://www.cisecurity.org/controls/\"\n },\n {\n \"text\": \"APO01.06\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.04\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS05.07\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"DSS06.02\",\n \"href\": \"https://www.isaca.org/resources/cobit\"\n },\n {\n \"text\": \"3.1.13\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"3.13.10\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf\"\n },\n {\n \"text\": \"CCI-000366\",\n \"href\": \"https://public.cyber.mil/stigs/cci/\"\n },\n {\n \"text\": \"4.3.3.7.3\",\n \"href\": \"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat\"\n },\n {\n \"text\": \"SR 2.1\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"SR 5.2\",\n \"href\": \"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu\"\n },\n {\n \"text\": \"A.10.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.1.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.11.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.13.2.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.14.1.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.6.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.7.3.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.8.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.1.2\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.2.3\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.1\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.4\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"A.9.4.5\",\n \"href\": \"https://www.iso.org/standard/54534.html\"\n },\n {\n \"text\": \"CIP-003-8 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-003-8 R5.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-004-6 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R2.3\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.1\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"CIP-007-3 R5.1.2\",\n \"href\": \"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx\"\n },\n {\n \"text\": \"AC-17(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"CM-6(a)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"AC-6(1)\",\n \"href\": \"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf\"\n },\n {\n \"text\": \"PR.AC-4\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"PR.DS-5\",\n \"href\": \"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\"\n },\n {\n \"text\": \"Req-2.2.6\",\n \"href\": \"https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\"\n },\n {\n \"text\": \"SRG-OS-000480-GPOS-00227\",\n \"href\": \"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os\"\n }\n ],\n \"rationale\": {\n \"text\": \"If a public host key file is modified by an unauthorized user, the SSH service\\nmay be compromised.\",\n \"lang\": \"en-US\"\n },\n \"fix\": [\n {\n \"text\": \"# Remediation is applicable only in certain platforms\\nif [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then\\n\\nfind -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regex '^.*\\\\.pub$' -exec chmod u-xs,g-xws,o-xwt {} \\\\;\\n\\nelse\\n >&2 echo 'Remediation is not applicable, nothing was done'\\nfi\",\n \"id\": \"file_permissions_sshd_pub_key\",\n \"system\": \"urn:xccdf:fix:script:sh\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"- name: Find /etc/ssh/ file(s)\\n command: find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regex \\\"^.*\\\\.pub$\\\"\\n register: files_found\\n changed_when: false\\n failed_when: false\\n check_mode: false\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.13\\n - NIST-800-171-3.13.10\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-2.2.6\\n - configure_strategy\\n - file_permissions_sshd_pub_key\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\\n\\n- name: Set permissions for /etc/ssh/ file(s)\\n file:\\n path: '{{ item }}'\\n mode: u-xs,g-xws,o-xwt\\n state: file\\n with_items:\\n - '{{ files_found.stdout_lines }}'\\n when: ansible_virtualization_type not in [\\\"docker\\\", \\\"lxc\\\", \\\"openvz\\\", \\\"podman\\\", \\\"container\\\"]\\n tags:\\n - NIST-800-171-3.1.13\\n - NIST-800-171-3.13.10\\n - NIST-800-53-AC-17(a)\\n - NIST-800-53-AC-6(1)\\n - NIST-800-53-CM-6(a)\\n - PCI-DSS-Req-2.2.6\\n - configure_strategy\\n - file_permissions_sshd_pub_key\\n - low_complexity\\n - low_disruption\\n - medium_severity\\n - no_reboot_needed\",\n \"id\": \"file_permissions_sshd_pub_key\",\n \"system\": \"urn:xccdf:fix:script:ansible\",\n \"complexity\": \"low\",\n \"disruption\": \"low\",\n \"strategy\": \"configure\"\n },\n {\n \"text\": \"include ssh_public_key_perms\\n\\nclass ssh_public_key_perms {\\n exec { 'sshd_pub_key':\\n command => \\\"chmod 0644 /etc/ssh/*.pub\\\",\\n path => '/bin:/usr/bin'\\n }\\n}\",\n \"id\": \"file_permissions_sshd_pub_key\",\n \"system\": \"urn:xccdf:fix:script:puppet\"\n }\n ],\n \"check\": [\n {\n \"check-content-ref\": {\n \"name\": \"oval:ssg-file_permissions_sshd_pub_key:def:1\",\n \"href\": \"ssg-ubuntu1804-oval.xml\"\n },\n \"system\": \"http://oval.mitre.org/XMLSchema/oval-definitions-5\"\n },\n {\n \"check-content-ref\": {\n \"name\": \"ocil:ssg-file_permissions_sshd_pub_key_ocil:questionnaire:1\",\n \"href\": \"ssg-ubuntu1804-ocil.xml\"\n },\n \"system\": \"http://scap.nist.gov/schema/ocil/2\"\n }\n ],\n \"id\": \"xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"medium\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "To properly set the permissions of, run the command:",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ },
+ {
+ "tags": {
+ "cci": [],
+ "nist": [
+ "SA-11",
+ "RA-5"
+ ],
+ "severity": "unknown",
+ "description": "By default, inbound connections to SSH's port are allowed. If the SSH\nserver is not being used, this exception should be removed from the\nfirewall configuration.Edit the filesand(if IPv6 is in use). In each file, locate\nand delete the line:This is unusual, as SSH is a common method for encrypted and authenticated\nremote access.",
+ "group_id": "xccdf_org.ssgproject.content_group_ssh",
+ "group_title": "SSH Server",
+ "group_description": "The SSH protocol is recommended for remote login and\nremote file transfer. SSH provides confidentiality and integrity\nfor data exchanged between two systems, as well as server\nauthentication, through the use of public key cryptography. The\nimplementation included with the system is called OpenSSH, and more\ndetailed documentation is available from its website,.\nIts server program is calledand provided by the RPM package.",
+ "rule_id": "xccdf_org.ssgproject.content_rule_iptables_sshd_disabled",
+ "check": "\"\"",
+ "fix_id": "",
+ "reference": {
+ "references": ""
+ },
+ "selected": "false",
+ "weight": "",
+ "profiles": [],
+ "rule_result": {
+ "result": "notselected",
+ "idref": "xccdf_org.ssgproject.content_rule_iptables_sshd_disabled",
+ "role": "full",
+ "time": "2023-03-20T12:28:12-05:00",
+ "severity": "unknown",
+ "weight": "1.000000"
+ },
+ "value": []
+ },
+ "refs": [],
+ "source_location": {},
+ "title": "Remove SSH Server iptables Firewall exception (Unusual)",
+ "id": "xccdf_org.ssgproject.content_rule_iptables_sshd_disabled",
+ "desc": "By default, inbound connections to SSH's port are allowed. If the SSH\nserver is not being used, this exception should be removed from the\nfirewall configuration.Edit the filesand(if IPv6 is in use). In each file, locate\nand delete the line:This is unusual, as SSH is a common method for encrypted and authenticated\nremote access.",
+ "descriptions": [
+ {
+ "data": "If inbound SSH connections are not expected, disallowing access to the SSH\nport will avoid possible exploitation of the port by an attacker.",
+ "label": "rationale"
+ }
+ ],
+ "impact": 0,
+ "code": "{\n \"title\": {\n \"text\": \"Remove SSH Server iptables Firewall exception (Unusual)\",\n \"lang\": \"en-US\"\n },\n \"description\": {\n \"br\": [\n \"\",\n \"\"\n ],\n \"code\": [\n \"/etc/sysconfig/iptables\",\n \"/etc/sysconfig/ip6tables\"\n ],\n \"pre\": \"-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT\",\n \"text\": \"By default, inbound connections to SSH's port are allowed. If the SSH\\nserver is not being used, this exception should be removed from the\\nfirewall configuration.Edit the filesand(if IPv6 is in use). In each file, locate\\nand delete the line:This is unusual, as SSH is a common method for encrypted and authenticated\\nremote access.\",\n \"lang\": \"en-US\"\n },\n \"rationale\": {\n \"text\": \"If inbound SSH connections are not expected, disallowing access to the SSH\\nport will avoid possible exploitation of the port by an attacker.\",\n \"lang\": \"en-US\"\n },\n \"id\": \"xccdf_org.ssgproject.content_rule_iptables_sshd_disabled\",\n \"selected\": \"false\",\n \"role\": \"full\",\n \"severity\": \"unknown\"\n}",
+ "results": [
+ {
+ "status": "skipped",
+ "code_desc": "By default, inbound connections to SSH's port are allowed. If the SSH\nserver is not being used, this exception should be removed from the\nfirewall configuration.Edit the filesand(if IPv6 is in use). In each file, locate\nand delete the line:This is unusual, as SSH is a common method for encrypted and authenticated\nremote access.",
+ "start_time": "2023-03-20T12:28:12-05:00"
+ }
+ ]
+ }
+ ],
+ "sha256": "7030f3160a521cd693818aa5faf2d0998e32bb684abb366cc060d132588ef7e5"
+ }
+ ],
+ "passthrough": {
+ "auxiliary_data": [
+ {
+ "name": "XCCDF",
+ "data": {
+ "Benchmark": {
+ "status": {
+ "text": "draft",
+ "date": "2023-02-06"
+ },
+ "rear-matter": {
+ "text": "Red Hat and Red Hat Enterprise Linux are either registered\ntrademarks or trademarks of Red Hat, Inc. in the United States and other\ncountries. All other names are registered trademarks or trademarks of their\nrespective companies.",
+ "lang": "en-US"
+ },
+ "metadata": {
+ "publisher": "SCAP Security Guide Project",
+ "creator": "SCAP Security Guide Project",
+ "contributor": [
+ "Frank J Cameron (CAM1244) ",
+ "0x66656c6978 <0x66656c6978@users.noreply.github.com>",
+ "Håvard F. Aasen ",
+ "Jack Adolph ",
+ "Edgar Aguilar ",
+ "Gabe Alford ",
+ "Firas AlShafei